I have a tiny web server “lighttpd” at a NAS (Network Attached Storage). It gets more popular than the conventional appache in last years (in particular for light web server markets). Lighttpd is very nice, as it’s light weight, easy to configure and most of all, easy to password-protect folders. There are 3 password formats:
plain A file which contains username and the clear text password separated by a colon. Each entry is terminated by a single newline. e.g.
agent007:secret
htpasswd A file which contains username and the crypt()’ed password seperated by a colon. Each entry is terminated by a single newline.
e.g.: agent007:XWY5JwrAVBXsQ
You can use htpasswd from the apache distribution to manage those files.
$ htpasswd file4lighttpd.user.htpasswd agent007
htdigest A file which contains a line per user identification. Each line contains the username, realm and a MD5 value separated by colons. eg
agent007:download area:8364d0044ef57b3defcfa141e8f77b65
The MD5 value is the checksum of a string concatenating the username, realm and password, separated by colons.
There are many ways to create htdigest file. I prefer the 2nd approach, as it is easy and need non additional installation. The important thing is to restrict access to your password file. You don’t want it has rwxrwxrwx access. I keep my as
-rw-r–r– 1 root root 140 Jun 19 2008 /etc/lighttpd/lighttpd.htdigest.user
1. You can use htdigest from the apache distribution to manage that kind of files.
$ htdigest lighttpd.user.htdigest 'download area' agent007
2. Using md5sum can also generate the password-hash:
#!/bin/sh user=$1 realm=$2 pass=$3 hash=`echo -n "$user:$realm:$pass" | md5sum | cut -b -32` echo "$user:$realm:$hash"
To use it (spaces between arguments!):
$ htdigest.sh 'agent007' 'download area' 'secret' agent007:download area:8364d0044ef57b3defcfa141e8f77b65
3. The pro way, this script can be used for service:
#!/bin/sh
export PATH="/bin:/usr/bin:/usr/sbin:$PATH"
# when input ctrl-c, remove lockfile and exit
trap '[ $lockstart -eq 1 ] && unlock $pfile && exit 0 || exit 0' INT
pfile="/etc/lighttpd/conf.d/lighttpd.user"
lockstart=0
remove=0
errmsg() {
echo "$1" > /dev/stderr
}
user_check() {
check_user=$1
grep "^${check_user}:" ${pfile} >& /dev/null
return $?
}
lock() {
lockfile="$1"
lockfile="${lockfile}.lock"
[ -f "${lockfile}" ] && {
errmsg "WARNING: lock file ${lockfile} is already exists"
errmsg " Wait minites for end of previous working ..."
}
while [ -f "${lockfile}" ]; do echo >& /dev/null ; done
touch ${lockfile}
lockstart=1
}
unlock() {
lockfile="$1"
lockfile="${lockfile}.lock"
[ -f "${lockfile}" ] && rm -f ${lockfile} && lockstart=0
}
usage() {
errmsg
errmsg "lightdigest: lighttpd htdigest password generation program"
errmsg "Scripted by JoungKyun.Kim <http://oops.org>"
errmsg
errmsg "Usage: $0 -[hd] -u user -p pass -r realm [-f password_file]"
errmsg "Options:"
errmsg " -h print this help messages"
errmsg " -u user username"
errmsg " -p pass password"
errmsg " -r realm realm name"
errmsg " -f filename password file [default: /etc/lighttpd/conf.d/lighttpd.user"
errmsg " -d remove user"
errmsg
[ $lockstart -eq 1 ] && rm -f ${pfile}.lock
exit 1
}
opts=$(getopt df:hp:r:u: $*)
[ $? != 0 ] && usage
set -- ${opts}
for i
do
case "$i" in
-d) remove=1; shift;;
-f) pfile="$2"; shift; shift;;
-p) pass="$2"; shift; shift;;
-r) realm="$2"; shift; shift;;
-u) user="$2"; shift; shift;;
--) shift; break;
esac
done
#echo $user
#echo $realm
#echo $pass
#echo $pfile
#echo $remove
[ -z "$user" ] && errmsg "ERROR: User is none!!" && usage
[ ${remove} -eq 0 -a -z "${realm}" ] && errmsg "ERROR: Realm is none!!" && usage
if [ -z "${pass}" -a ${remove} -eq 0 ]; then
echo -n "Input new password : "
read newpass
echo -n "Reinput password for confirm : "
read renewpass
if [ "${newpass}" != "${renewpass}" ]; then
errmsg "ERROR: Password is not match"
exit 1
fi
pass=${newpass}
fi
lock ${pfile}
if [ ${remove} -eq 0 ]; then
# User Add Mode
hash=$(echo -n "${user}:${realm}:${pass}" | md5sum | cut -b -32)
user_check ${user}
already=$?
[ -f "${pfile}" ] && cp -af ${pfile} ${pfile}.bak
if [ ${already} -eq 0 ]; then
# already exists
perl -pi -e "s/^${user}:.*$/${user}:${realm}:${hash}/g" ${pfile}
else
# add new user
echo "${user}:${realm}:${hash}" >> ${pfile}
fi
else
# User Remove Mode
tmp_htdigest="/tmp/lighttpd-htdiges.tmp.$$"
cp -af ${pfile} ${pfile}.bak
grep -v "^${user}:" ${pfile} > ${tmp_htdigest}
mv -f ${tmp_htdigest} ${pfile}
fi
unlock ${pfile}
exit 0
To use it (don’t use realm value! getopt of some bash version has bug.) :
# if you add or change $ lightdigest -u USERNAME -r REALM_NAME -f PASSWORD_FILE_PATH # if you want to remove use $ lightdigest -d -u USERNAME
have you ever tried avast antivirus before?