• Calendar
• A-Z Index

• Yale home
• About Yale
• Academic programs
• Admissions
• Health & medicine
• Working at Yale
• Yale & New Haven
• Yale & the World
• Yale Tomorrow
• News

• Prospective students
• Students
• Parents
• Faculty
• Staff
• Alumni
• Foundations & corporations
• Patients
• Visitors

Find it

• About ITS
• Policies
• Feedback
• Search ITS
• ITS A-Z Index
• System Status

Restricting Access to Pantheon Web Sites

Restricting Access with a Password

You can password protect to web pages on the Pantheon with the creation of two files. One, the .htaccess file, specifies usernames to be allowed access. The other, the .htpasswd file, pairs the usernames with encrypted passwords.

Restricting with an .htaccess file

The .htaccess file should be placed in the directory to which you want to restrict access. You can create it in Notepad or some other text editor. Its content should look something like this:

      AuthType Basic
      AuthUserFile /home/a2/abc000/public_html/.htpasswd
      AuthName "wwwpeople"
      require user NameOfUser

(For more details, see the bottom of this page.)

You can find out the exact name of your directory ("/home/a2/abc000/" in the above example) by a variety of ways. If you are connected to the Pantheon by SFTP, clicking Operation --> Go to Folder... will probably give you your current folder's full address. If you are connected to the Pantheon by Fugu, you can find your full address by seeing the parent directories of your Pantheon folder.

Restricting with an .htpasswd file

This file holds the data of allowed usernames and passwords for the .htaccess file. You can generate this file using the Pantheon's terminal (to connect to the terminal, see the "Using the Terminal" instructions).

On the Pantheon, the program htpasswd generates .htpasswd files.

htpasswd [-c] passwordfile username

(The -c flag creates a new file.)

So, you can type something like

htpasswd -c .htpasswd NameOfUser

and it will prompt you for NameOfUser's password. It will then create a file holding NameOfUser and the corresponding encrypted password.

The .htpasswd should be placed in a directory that is not public/web readable. Note that this probably means somewhere inside your home directory.

Once you have set up these files correctly, anyone trying to access the restricted directory will see a window like the following:

Keep the following in mind when creating the .htaccess file:

• The AuthType Basic directive tells the server to use simple password authentication before allowing someone to access the pages in the directory.
• The AuthUserFile contains the accounts and passwords used to protect the directory. The accounts in this file do not need to be NetIDs and should not be protected with NetID passwords.
• The AuthName give is the title that will appear in the password box. It is specified in the above diagram as wwwpeople.

If you had .htaccess files prior to October 14, 2001, you may experience problems due to the Pantheon's upgrade to Apache. Please contact STC if you are having this problem.

Restricting Access to Pantheon Web Sites using CAS

Instead of protecting your web pages with a password you may choose to restrict access based on authorization by the Central Authentication Service (CAS). If you choose to restrict access based on CAS, anyone that you give access to your web pages to must have a valid Yale NetID.

A .htaccess file should be placed in the directory to which you want to restrict access. You can create it in Notepad or some other text editor. Its content should look something like this:

AuthType CAS 
require user NetID1 NetID2 NetID3 etc

You may decide that you would like to restrict access to anyone with a valid NetID. To do so, your .htaccess file would look like this:

AuthType CAS 
require valid-user