Shulou(Shulou.com)05/31 Report--

What this article shares with you is about how RHEL6.3 achieves user authentication and authentication access based on encryption. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

I. Business requirements

Apache needs to implement encrypted authentication access based on user authentication to ensure the security of specific site pages. Here is the implementation process of the requirements, see the following decomposition.

Second, the specific implementation steps:

1. Set up the home directory and web page

[root@test1 www] # mkdir virt1

[root@test1 www] # ls

Cgi-bin error html icons manual virt1

[root@test1 www] # cd virt1

[root@test1 virt1] # echo "welcomt to apache website" > index.html

[root@test1 virt1] # ls

Index.html

[root@test1 virt1] # cat index.html

Welcomt to apache website

2. Use the htpasswd tool that comes with apache to generate password files as the source of user access authentication.

Format: htpasswd options FilePath user

-c: use this option when creating for the first time

-m: use MD5 encryption to store passwords

-D: delete the user from the password file

[root@test1 conf] # htpasswd-cm .htpasswd aaa

New password:

Re-type new password:

Adding password for user aaa

[root@test1 conf] # cat .htpasswd

Aaa:$apr1 $hhFTA/vU$GwUfNDRNGFGIyHWftqc2M1

[root@test1 conf] # htpasswd-m. Htpasswd bbb

New password:

Re-type new password:

Adding password for user bbb

[root@test1 conf] # cat .htpasswd

Aaa:$apr1 $hhFTA/vU$GwUfNDRNGFGIyHWftqc2M1

Bbb:$apr1 $QHr2Dpff$wMtQI74PcbNOMrY0mPgpa0

[root@test1 conf] #

If you want to delete a user

# htpasswd-D .htpasswd aaa

3. Use basic authentication for the specified web directory

For example, access to the test1.demo.com website needs to be based on user authentication.

Configure the main configuration file for apache: / etc/httpd/conf/httpd.conf

NameVirtualHost 192.168.1.123:80

DocumentRoot / var/www/virt1

ServerName test1.demo.com

ErrorLog logs/test1.demo.com-error.log

AuthName "realm"

AuthType basic

AuthUserFile / etc/httpd/conf/.htpasswd

Require User aaa bbb

[root@test1 virt1] # service httpd restart

Stopping httpd: [OK]

Starting httpd: [OK]

4. Encryption configuration

[root@test1 conf] # (umask 077 / OpenSSL genrsa-des3-out server.key)

Generating RSA private key, 512 bit long modulus

. +

. +

E is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying-Enter pass phrase for server.key:

[root@test1 conf] # openssl req-new-key server.key-out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [CN]: CN

State or Province Name (full name) []:

Locality Name (eg, city) [Beijing]: Beijing

Organization Name (eg, company) [Default Company Ltd]: Tianli

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []: test1.demo.com

Email Address []:

Please enter the following 'extra' attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

[root@test1 conf] # openssl ca-in server.csr-out server.crt

Using configuration from / etc/pki/tls/openssl.cnf

Enter pass phrase for / etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 3 (0x3)

Validity

Not Before: Jan 31 05:37:44 2013 GMT

Not After: Jan 31 05:37:44 2014 GMT

Subject:

CountryName = CN

StateOrProvinceName = Hebei

OrganizationName = Default Company Ltd

CommonName = test1.demo.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

CB:3D:6E:BD:48:ED:BD:FE:39:BD:27:C5:B5:57:19:96:79:11:23:14

X509v3 Authority Key Identifier:

Keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62

Certificate is to be certified until Jan 31 05:37:44 2014 GMT (days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

Put this copy in httpd.conf into ssl.conf and modify and add SSL authentication statements

NameVirtualHost 192.168.1.123:443

DocumentRoot / var/www/virt1

SSLEngine on

SSLCertificateFile / etc/httpd/conf/server.crt

SSLCertificateKeyFile / etc/httpd/conf/server.key

ServerName test1.demo.com

ErrorLog logs/test1.demo.com-error.log

AuthName "realm"

AuthType basic

AuthUserFile / etc/httpd/conf/.htpasswd

Require User aaa bbb

Note: this paragraph in the original httpd.conf file needs to be commented or blocked.

[root@test1 conf] # service httpd restart

Stopping httpd: [OK]

Starting httpd: [Thu Jan 31 01:29:41 2013] [warn] NameVirtualHost 192.168.1.123:80 has no VirtualHosts

Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Server test1.demo.com:443 (RSA)

Enter pass phrase:

OK: Pass Phrase Dialog successful.

[OK]

[root@test1 conf] #

III. Testing

Enter https://test1.demo.com in FIREFOX to browse

Click I Understand the Risks

Click Add Exception

Click Confirm Security Exception

Enter user name and password

Finally see the contents of the protected page

This is how RHEL6.3 implements user authentication and authentication access based on encryption. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.