Internet

Security and HTML

HTAccess - Password protection

By using htaccess, we can restrict access to our sites. We can create usernames and give them specific passwords. In this lab, we'll create a file and password protect it
* Note: do NOT password protect your root directory or your public_html directory or we will not be able to view your hw or projects!
Telnet to your jhunix account and enter your public_html directory
Create a directory called "secret" and give it rx permissions
cd into this directory and pico a file called secret.txt
Type a sentence or two on this file and exit/save - give it read permissions
Now we'll password protect it. By adding htaccess in this directory, we will restrict access to any file or directory within it
You are in your secret directory. Type pwd -- highlight this and copy it
Mine looks like this:
/users/as/ins/4/.sl3/public_html/secret
pico .htaccess
This is what goes in your .htaccess file:
AuthUserFile tells us where the .htpasswd file is. It's in the secret directory of our account.
The AuthName is what shows up on the box
Now we have created our .htaccess file. What we'll do now is create user names and their corresponding passwords
Type: htpasswd -c .htpasswd username
The first htpasswd is a command. We'll execute the command htpasswd which is like a program
The -c means create -- this is only needed the first time.
The .htpasswd is a destination (it'll always be .htpasswd)
The username is any name you wish to give a password
It will then say, "Adding password for username. New password:"
This is where you type in a password. It'll ask you to retype it, do that.
Now you created a password for your secret file. Nice.
Do it again, this time you won't need a -c:
htpasswd .htpasswd steve
This'll create a new password for steve. Create at least two users and passwords (remember them!)
Now give rx permissions to the .htaccess and .htpasswd files
Bring up the page http://jhunix.hcf.jhu.edu/~login/secret/secret.txt
Give it the password and see what you wrote
Say you want to revoke password privileges for steve. Easy:
Pico your .htpasswd file.
You'll see at least two lines. Each line is a user:password (the passwords are encrypted)
Delete the line with steve. Now he is no longer a user.

PGP: Pretty Good Privacy

TA will explain public and private keys.
Your public key is just that: public. Everyone can have access to it.
Your private key is for your eyes only. It is password protected.
They go together. My public key decodes my private key. My private key decodes my public key. But you can't figure out one if you have the other.
If I send a message using my private key, everyone in the world can decode it (my public key is public, right?) But they know I sent it. Only my private key could have created this message and only I have my private key. This is authentication
If I send a message to you using your public key, that is for security. Everyone can use your public key to send you messages. But only you have the decoder: your private key. Only you will be able to read my secret message.
Now, cd to your home directory
Pico your .profile (do not mess with this file - it's important)
In the first break of this file, add this line:
alias pgp=~login/.pgp/pgp
Replace login with your unix login
Exit and save. Then logout. Quit. The re-telnet. You have to log out and log back in for the changes to set.
Create a directory called .pgp and enter it
We'll copy pgp files from Leu (basic software)
Type: cp ~net113/pub/pgp/* . (that last dot is intentional)
Now give everything rx permissions (chmod a+rx *) while in the .pgp directory
Type: pgp -kg
This will create your key (-kg is key generation)
Select one of the encryption schemes. More bits = more security = less speed
Create an ID you will remember. This is your pgp login. (I use my name)
Create a password you will remember!
When it asks you to hit keys, do so until the number reaches zero. This will generate your random key using the time interval between keystrokes
Don't try to view the .pgp files in the .pgp directory, them may mess up your terminal
You made your key.
Let's make that public key public now by adding it to your .plan file
Extract it by typing this (where pgp-login is the login you gave a few minutes ago):
If you are already in your home directory, ignore the ../
Now give your .plan file read permissions, if it doesn't already have them.
Now your public key is attached to your .plan file, which is readable
cd to home, pico .plan to see your public key, it will look like gibberish (you only have to do that stuff once)

TO ADD OTHER PEOPLES KEYS TO YOUR KEYRING

Get the unix login of the person next to you. Or use mine: sl3
Type this: where filename is any filename (it's just temporary)
Now you'll search that file for any pgp key, then add the key (-ka) by typing: where filename is the same as above
Hit yes to the questions. You can certify these keys since you are SURE that the person you are getting it from is the person who made the key
Get at least two other keys.
To view your keyrings, type: pgp -kv

TO ENCRYPT A MESSAGE

Pico a file called "note" and type a message. Exit and save it.
Type: pgp -ea filename recipients-pgp-login
filename = note
recipients-pgp-login is the pgp name of the key you added.
This will produce note.asc
This is encoded using the public key of the person you specified with pgp-login
Fire up pine, compose a message to all recipients you want, and attach the note.asc file (not just the note file, the note.asc file is the encrypted one)
Then send it to that person. You can send it to anyone, but only that person will have the private key to decode it.
To decrypt it, when it comes, view the attachment. Save it.
Exit pine. Go to the directory where note.asc is
Type: pgp note.asc (or whatever it's called)
Overwrite any files (it will ask)
Pico the file and you can read the message
Only you could have decoded this message. It was encrypted with your public key and can only be decrypted with your private key. That's why it asked for your password!