Sometimes, you may want to use multiple locations for documents on the same website using Apache. It’s very straightforward to configure multiple document locations in Apache using the Alias directive in either the server config or VirtualHost config. Given below are the steps I used to configure a document root (/webserver/apache-2.2.12/phpMyAdmin) for the phpMyAdmin application to store it outside my default web application’s document root (/webserver/apache-2.2.12/htdocs).

STEP 1: Modify the Apache httpd.conf to add the Alias directive and ensure the new document root is accessible. Example below:

#
# DocumentRoot and Alias to point to pma's location outside DocumentRoot
#
DocumentRoot "/webserver/apache-2.2.12/htdocs"
Alias /pma /webserver/apache-2.2.12/phpMyAdmin
#
# Config options for pma document root
#
<Directory "/webserver/apache-2.2.12/phpmyadmin">
    Options -Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Note: I explicitly configured Directory options for /webserver/apache-2.2.12/phpMyAdmin as my default Directory options (for /) were very restrictive.

STEP 2: Restart Apache. Example below:

/webserver/apache-2.2.12/bin/apachectl -k restart

Using my browser, I could access the new document root at http://xx.xx.xx.xx/pma

Points to remember:

(1) Apache permits only one DocumentRoot (understandably) for a website and so you cannot have "multiple document roots". However, you access documents stored in locations outside the DocumentRoot, thereby permitting "multiple document locations". If you have more than one domain name for your website, then you may use the VirtualHost directive to configure a DocumentRoot for each website domain.

(2) Ensure you do not add a trailing / to the url (/pma) in the Alias directive. If you do so, you will see “Not Found” errors.

(3) You should not have a directory in the document root having the same name as a URL in any of the Alias directives as you will never be able to access it. Based on the example above, if I create a directory called pma in the document root /webserver/apache-2.2.12/htdocs, then I will never be able to access any files in this directory as the Alias /pma tells Apache that it must look elsewhere (/webserver/apache-2.2.12/phpMyAdmin). However, you may create the directory pma as a subdirectory withing directories in the document root (e.g. /webserver/apache-2.2.12/htdocs/test/pma)

A favicon is a 16 X 16 pixel square icon that serves as an identifier for your website (browser window, browser tab, bookmarks). So, it is important to create and install a suitable favicon for your website.

While searching for free software that helps you create favicons, I found that there were quite a few to choose from, but finally, I decided to use the free, online favicon generator at favicon.cc. This online tool is more than enough to create good basic favicons.

The features of favicon.cc which impress me are:

• Free and web-based. No client to download and install.
• Very simple and intuitive to use.
• You can preview the created favicon before downloading it.
• You can create animated favicons.
• If registered, you can save your favicon online and even publish it under an open Creative Commons license.
• You get useful tips on how to use the favicon within your HTML.

I used favicon.cc to create the favicon for this blog as well as an animated TrafficLight favicon published under the Creative Commons license.

Note: Different browsers handle favicons differently and website developers will be all too familiar with the frustration caused by browser compatability. For example, as of today, Microsoft IE does not support animated favicons.

Although using Public Key Infrastructure (PKI) with SSH is strongly recommended over password authentication, basic UNIX password authentication (using username and password for authentication) is still widely prevalent. If you are one of those users still using password authentication, then this tutorial could provide you with essential information to enable you manage your passwords and prepare to switch to PKI or other more secure methods of authentication. The examples in this tutorial are based on Fedora 11 Linux, Ubuntu 9.04 Linux and Solaris 10 (x86) and will apply to all these UNIX distributions unless otherwise mentioned. The examples for Fedora 11 will most probably apply to Red Hat Enterprise Linux (RHEL) as Fedora is a spin-off of the terminated Red Hat Linux Desktop and shares code with RHEL.

When and where are passwords created?

Passwords for users are created when a user is created. Users are typically created with the useradd command. An example user creation is given below:

useradd -d /home/asg -m -s /bin/bash asg

The above command creates a user called asg with home directory /home/asg and the bash shell and will work on

Upon creation of a user, a blank password is created, locked and assigned to that user and all password details for that user are stored in the /etc/shadow file as shown below.

# Fedora 11
asg:!!:14479:0:99999:7:::
 
# Ubuntu 9.04
asg:!:14479:0:99999:7:::
 
# Solaris 10
asg:*LK*:::::::

Note the differences in default password creation among the three UNIX distributions:

(1) Notation used to denote password locking. In Fedora 11, it’s "!!", in Ubuntu 9.04, it’s "!" and in Solaris 10, it’s "*LK*".

(2) In both Fedora 11 and Ubuntu 9.04, days that denote when the password was last changed (14479 days since 01/01/1970), before which a password may be changed (0 days), after which a password must be changed (99999 days) and the warning before a password expires (7 days) are assigned (defaults assigned in /etc/login.defs and /etc/default/useradd) whereas in Solaris 10, these values are not defined.

Refer to the shadow manual (man /etc/shadow) to understand the fields associated with a password definition (a colon separated line) for a user in the /etc/shadow file.

 How do you set passwords?

Passwords are set using the “passwd” command as shown below:

# For non-root users (e.g. asg)
passwd
 
# For root user (e.g. set the password for the asg user)
passwd asg

Note: Non-root users can set only their own passwords (unless given elevated privileges) whereas the root user can set any user’s password.

When a password is set, it will be encrypted and stored in the /etc/shadow file as in the example shown below (single line):

 asg:$6$TcNyv6EyQchM.:14479:0:99999:7:::

How do you lock passwords?

By default, as seen above, passwords are locked during user creation. If you need to lock a password any time after it has been unlocked, then the following command must be run as the "root" user:

# As root user, lock the password for the asg user
passwd -l asg

When a password is locked, the corresponding user’s account cannot be used and you cannot login directly as the user or even switch user using su.

Note: In Fedora 11 and Ubuntu 9.04, a user whose password has been locked will still have its cron jobs running normally, but in Solaris 10, such a user’s cron jobs will no longer execute.

How do you unlock passwords?

You can unlock a user’s password (as root user) in one of two ways as shown in the example below:

# Option 1: Simply set the asg user's password
passwd asg
 
# Option 2: Unlock the asg user's password
passwd -u asg

How do you delete passwords?

You can delete a user’s password (as root user) by using the passwd command as shown in the example below:

# Delete the asg user's password
passwd -d asg

How do you manage password expiry?

Just like perishables, passwords too can have lifetimes and expire. By default, when users are created, password expiry is not set, thereby allowing a password to be used forever without ever being changed. Well, password authentication is not a very secure authentication mechanism and so apart from setting difficult-to-guess passwords, it is important to change passwords often to reduce the risk of security being compromised. Password expiry may be set (as root user) as shown in the examples below:

# Option 1 : Using the passwd utility, set expiry of the asg user's password to 30 days from now
passwd -x 30 asg
 
# Option 2 (Fedora 11 and Ubuntu 9.04): Using the chage utility, set expiry of the asg user's password to 30 days from now
chage -M 30 asg

Password expiry may be unset (as root user) as shown in the examples below:

# Option 1(a) : Using the passwd utility, turn off expiry for the asg user.
passwd -x -1 asg
# Option 1(b) : Using the passwd utility, turn off expiry for the asg user.
passwd -x 99999 asg
 
# Option 2(a) (Fedora 11 and Ubuntu 9.04): Using the chage utility, turn off expiry for the asg user.
chage -M -1 asg
# Option 2(b) (Fedora 11 and Ubuntu 9.04): Using the chage utility, turn off expiry for the asg user.
chage -M 99999 asg

Note:If using password authentication, I recommend that password expiry is always turned off or disabled for system/shared user accounts to prevent inefficiencies caused by dependencies on password tracking.

What is the difference between deleted, locked and expired passwords?

Some people refer to deleted passwords as disabled passwords, but I will refrain from using the term "disabled" as it only adds ambiguity. Refer to the table below to understand the differences and similarities between deleted and locked passwords.

 How do you disable password authentication for only certain users?

Password authentication is still widely used on UNIX Production systems. And some systems even still use the telnet daemon to accept connections. The telnet protocol is insecure as the password is transmitted in plain text and if you’re using telnet on UNIX Production systems, discontinue its use and switch to the SSH daemon at the earliest. If you wish to disable password authentication for all users, then setting the directive "PasswordAuthentication no" in the sshd_config file and restarting the sshd daemon will ensure no user can use password authentication. If on the other hand, like me, you are not a System Administrator and wish to disable password authentication only for specific users (your team perhaps), then you may do so as follows (Fedora 11, Ubuntu 9.04 & most Linux distributions):

(1) Ensure each user creates a public-private key pair and configures his/her public key in the appropriate home directory, in order to use PKI/SSH to login.

(2) Turn off expiry for user passwords in order to prevent any impact on cron jobs.

(3) Lock the users’ passwords in order to prevent password authentication.

(4) For shared or system users, ensure elevated privileges are provided to normal users using softwares like sudo or Power Broker. If using sudo, the users may have to remember their passwords even though they’re using PKI, in order to use the sudo command (not mandatory, depends on sudo setup).

I know the above steps seem a weird way of configuration (use passwords and then prevent password authentication), but I haven’t found any other direct way of disabling password authentication for certain users. Using Pluggable Authentication Modules (PAM), this may be possible, but this tutorial is aimed at users currently using basic password authentication without services like PAM, kerberos, etc.

Note: I do not recommend the above 4-step procedure for Solaris 10 (& probably earlier versions) as step 3 effectively ensures that the users’ cron jobs stop working.

 References:

(1) UNIX manuals (man passwd, man chage, man shadow, man sshd): As always, read the manual!

(2) Steve Friedl’s  Secure Linux/UNIX access with PuTTY and OpenSSH: An excellent, lucid tutorial to help you get started with using PKI and SSH.

(3) Werner Puschitz’s Securing and Hardening Red Hat Linux Production Systems: An excellent guide on securing Production RHEL systems (also covers PAM).

This is what I did to install Apache 2.2.12 and PHP 5.3.0 on Solaris 9 (SPARC/Sun-Fire-V490). I chose an application user (applusr) to install Apache as I did not require to launch it on a reserved port (1-1024). Installation instructions could differ for you depending on how Solaris 9 was installed on your host (available packages).

(1) Download the following Solaris packages (not source code) from http://www.sunfreeware.com :

• libiconv (libiconv-1.11-sol10-sparc-local.gz)
• gcc (gcc-3.4.6-sol10-sparc-local.gz)
• libxml2 (libxml2-2.6.31-sol9-sparc-local.gz)

(2) Using root user privilege, install the Solaris packages downloaded in step (1) as given below (adhere to the order of installation commands). Comments (prefixed by #) provided for clarity.

# First, change directory to location of the downloaded packages.
 
cd <location of packages>
 
# Install the libiconv package
 
pkgadd -d libiconv-1.11-sol10-sparc-local.gz
 
# Install the gcc package
 
pkgadd -d gcc-3.4.6-sol10-sparc-local.gz
 
# Install the libxml2 package
 
pkgadd -d libxml2-2.6.31-sol9-sparc-local.gz

NOTE: You may try implementing steps (1) and (2) above with the latest versions of the packages.

(3) Download Apache HTTP Server 2.2.12 (httpd-2.2.12.tar.gz) at http://httpd.apache.org/download.cgi and PHP 5.3.0 (php-5.3.0.tar.gz) at http://us2.php.net/downloads.php . Verify the integrity of the downloads using PGP or MD5 (if downloading to a Windows machine, you may use winmd5sum to verify the md5 signature).

(4) Set the PATH variable correctly, so that binaries like gcc (typically in /usr/local/bin) and make (typically in /usr/ccs/bin) can be accessed. For example, my PATH is /bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/ccs/bin

(5) Compile and Build Apache (I used a non-root user and specified where I want to install Apache with the –prefix option):

# Unpack and extract the apache source
 
gunzip httpd-2.2.12.tar.gz
tar xvf httpd-2.2.12.tar
cd httpd-2.2.12
 
# Compile and build the apache source
# The –enable-so option is used to load the mod_so module at compile time in order
# to enable DSO Support for shared modules like PHP, mod_proxy, etc.).
# For illustration, apache will be installed in /webserver/apache-2.2.12
 
./configure --prefix=/webserver/apache-2.2.12 --enable-so
make
make install

(6) Install PHP (I used a non-root user and specified where I want to install PHP with the –prefix option)

# Unpack and extract the PHP source
 
gunzip php-5.3.0.tar.gz
tar xvf php-5.3.0.tar
cd php-5.3.0
 
# Compile and build the PHP source. For illustration, PHP will be installed in /webserver/PHP-5.3.0.
 
./configure --prefix=/webserver/PHP-5.3.0 --with-apxs2=/webserver/apache-2.2.12/bin/apxs --with-config-file-path=/webserver/PHP-5.3.0
make
make install

NOTE: If you are installing PHP on a computer that has access to the internet, you may run “make test” after make and before “make install” to assist the PHP community in further development of PHP.

(7) Configure PHP

• If you’ve installed Apache with non-root privileges, then modify ListenPort to a port > 1024 (For example, I configured Listen xx.xx.xx.xx:7777 to enable my apache to listen at port 7777)
• Add the following snippet to the apache 2.2.12 httpd.conf file

#
# The following lines enable Apache to handle PHP requests
#
<Filesmatch  \.php$>
	SetHandler application/x-httpd-php
</Filesmatch>

(8) Test Apache 2.2.12 and PHP 5.3.0

• Create and save file (e.g. index.php) in the document root (/webserver/apache-2.2.12/htdocs) with the following line:

<?php phpinfo() ?>

• Start Apache 2.2.12 as follows:

/webserver/apache-2.2.12/bin/apachectl -k start

• Access the file using your browser (e.g. http://localhost:7777/index.php).

References:

(1) Apache 2.2 Installation documentation

(2) PHP Installation documentation