Provided by: thy-auth_0.3.0-1_i386 bug


       dotrealm - .realm-based Authoriser for Thy


       dotrealm  is  a  so-called  Authoriser  for  the Thy HTTP daemon. It is
       spawned by the master daemon process, and they communicate via a  pipe.

       This  is  the  most simple (but usable) authoriser so far. Whenever Thy
       encounters a .realm file  in  a  directory,  she  asks  the  authoriser
       process  (in  this  case, dotrealm) to determine what the realm is, and
       later on, asks again to authorise a user, with a given password.

       This authoriser utilises PAM, putting the hard work on its shoulders.

       The authorisation process works like this: Thy encounters a .realm file
       in  a  directory, and talks a bit with the authoriser to figure out the
       realm, then passes back a username, a password, and  the  name  of  the
       realm.  The  authoriser then appends a @ and realm to the username, and
       passes it on to PAM. It uses thy as the service name.

       Let’s make it clearer with an example! Say,  we  have  a  realm,  Kitty
       (putting  the string Kitty into /var/www/kitties/.realm will accomplish
       this. Everything under /kitties/ will be under the Kitty domain), and a
       client  request  the  URI  /kitties/kitten01.jpg,  with the username of
       Catwoman and the  password  Jaguar24.  The  authoriser  will  send  the
       username Catwoman@Kitty to PAM. The password will not be altered.

       One  drawback  of  this  method  is, that one has to remember to create
       accounts with the realm appended. However, with most of the PAM modules
       which  will  be  used  with  this  authoriser,  this  shouldn’t be much


       Lets put together a complete realm!

       Suppose we do not have virtual  hosts  enabled,  and  assume  that  the
       document  root  is  /var/www. We want to restrict access to the /dirty-
       secrets hierarchy, so we put a .realm file there, containing  the  text

       Then,  we  need  to  set up PAM, to correctly handle the Secrets realm.
       Users in the realm need not to have anything to do with  system  users.
       I’d  even advise that if a user in the realm also has a normal account,
       the passwords be different.

       A sample /etc/pam.d/thy file is given below:

              auth    sufficient pwdfile=/etc/thy/realms/Secrets
              auth    required
              account required
              session required

       The /etc/thy/realms/Secrets file could look like this:


       Notice that the first password is DES-encrypted, and the second  is  an
       MD5  sum.  In  general,  one  needs to store the passwords in encrypted
       form. There are many tools to encrypt a password, one of them is  perl.
       You can generate DES-encrypted passwords like this:

              perl -e ’print crypt ("password", "salt") . "\n";’

       In  the  above  example, salt is a string of two random characters, and
       password is the password to encrypt.


       Probably many.


       Gergely Nagy <>


       thy(8), thy-auth(7)