How to assign multiple passwords to the same user in .htaccess password protection?
It looks like this in my .pass file, but only the first one is working
christina:o5hZ6Uplugq.2
christina:uaZOUG6BzJaUc
Asked
Active
Viewed 4,757 times
4
-
i dont't think you can do that. Single .htpasswd file accepts one user-pass combo. In order to do what you want, you need to have different .htpasswd files, located in different directories – andrew Aug 06 '14 at 12:46
-
This would be a good way to rotate a shared password (which is why I Googled the question). – Steve Nov 19 '19 at 16:13
-
I think OP clearly demonstrated the required minimal understanding, I believe the closure was a bad decision. – peterh Aug 31 '23 at 12:06
1 Answers
5
We can see the source code of the http authenticator in the apache httpd here:
https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/aaa/mod_auth_basic.c
In the function get_basic_auth() and in authenticate_basic_users() we can clearly see, that the interpretation of the .htaccess file happens in two steps:
- gets the line of the
.htpasswddescribing the actual user - calculates the hash value of the given password and compares this with the htaccess value.
If I interpret the code well, n case of duplicated users, only the first line will have any sense.
Of course you can reach this if you want, but you have to extend this source file a little bit. Or, what is more feasible, you have to use some other type of authentication. For example, an authentication against a database backend may or may not have this additional feature as well. Google for "apache authentication ldap" or some like so, if you wish.
peterh
- 4,971