Knoppmyth R5F27:

To disable Passwords for website access

edit the file /etc/apache2/apache2.conf Pound out the following lines below and then run /etc/init.d/apache2 restart

#<Directory />
#     AuthType           Digest
#     AuthName           "MythTV"
#     AuthUserFile       /etc/<em class="highlight marker searchword-1">htdigest</em>
#     Require            valid-user
#     BrowserMatch       "MSIE"      AuthDigestEnableQueryStringHack=On
#</Directory>

Please note that this is generally not recommended. You should be very sure that there is no external network access to the web server and no one else on your LAN who shouldn't have full and unfettered access to the box. This includes people who might accidentally change some system setting while idly poking around and reconfigure the box in bizarre and confusing ways, such as the resident 12 year old, your SO, or the neighbor who is "borrowing" your WiFi access.

Knoppmyth R5F1:

For this version of Knoppmyth, there is no more need to edit config files. All you need to do is set up a username and password for entry into <em class="highlight marker searchword-0">Mythweb</em>.

• log in to a command line as root
• use the command "<em class="highlight marker searchword-1">htdigest</em> -c /etc/<em class="highlight marker searchword-1">htdigest</em> MythTV -username-"
• enter your new password twice
• restart Apache with "/etc/init.d/apache2 restart"

After you do that, you can enter additional usernames and passwords with the command: "<em class="highlight marker searchword-1">htdigest</em> /etc/<em class="highlight marker searchword-1">htdigest</em> MythTV -username-"

Then you can login to the local IP address of the Myth box using a web browser (Firefox recommended), using your newly entered usernames and passwords.

6-18-07 neutron68

R5B7 NOTE: KnoppMyth, R5B7, includes an option to secure ~<em class="highlight marker searchword-0">MythWeb</em> during the install process. If you would like to adjust the security settings, you can use the ToggleWebSecurity.sh script. The steps for securing <em class="highlight marker searchword-0">MythWeb</em> below are only applicable with pre-R5B7 releases. See http://mysettopbox.tv/phpBB2/viewtopic.php?t=9239 for how securing ~<em class="highlight marker searchword-0">MythWeb</em> has changed under R5B7.

(Added by Mark H):
The newer versions of Knoppmyth use Digest authentication instead of BasicAuth type. IE 6 and below (and IE for pocket pc) does not handle digest authentication very well. If you want this to work (i.e. you want to use IE with <em class="highlight marker searchword-0">MythWeb</em>), you need to turn off Digest and turn on BasicAuth. To do this, simply run ToggleWebSecurity.sh -<em class="highlight marker searchword-0">mythweb</em> as root. This will turn off all <em class="highlight marker searchword-0">mythweb</em> security. Follow the instructions below to turn on BasicAuth type.

Securing ~<em class="highlight marker searchword-0">MythWeb</em> with a password

MythTV includes ~<em class="highlight marker searchword-0">MythWeb</em>, which allows you to set and modify recording schedules via the web. Ideally, this can be done from anywhere just by logging into your computer. However, unless you'd like total strangers recording random programs for you, you should lock this down with authentication. Here are three different ways to do so:

Modifying httpd.conf to set overall authentication for all Apache-served pages

1. Edit Apache's httpd.conf file to turn on authentication. Use your text editor of choice. My example will use nano:

su
nano /etc/apache/httpd.conf

While in nano, press control-w to bring up its search feature. Then search for <Directory /var/www/> (Note Mark H: on mine it is around line 283 and says <DocumentRoot /var/www). Cursor down a few lines until you see: AllowOverride None. Then add the following lines underneath it:

# Force a password
AuthType Basic
AuthName "BasicAuth"
AuthUserFile /etc/apache/basicauth
Require valid-user

Save changes with control-o and quit with control-x.

(Note by Mark H: If you are switching from Digest Auth to BasicAuth, you will also need to edit /etc/apache/modules.conf and comment out (put # in front of) two lines toward the bottom that contain "pam_auth_module" and "digest_auth_module". It may also be necessary to edit /usr/share/mythtv/<em class="highlight marker searchword-0">mythweb</em>/.htaccess. In this file, if you see AuthType Digest, you'll have to make sure that line and the next five ar commented out (again, using a '#' character at the beginning of the line). These five lines start at line 21 for me (R5C7) and include "AuthType", "AuthName", "AuthDigestFile", "Require", and "BrowserMatch".

2. Create a username and password for web access. The example below creates a user called "mythtv." While still as root:

htpasswd -c /etc/apache/basicauth mythtv
(then enter your desired password for web access)

This creates a file called basicauth that contains the username and password for ~<em class="highlight marker searchword-0">MythWeb</em> access. Note the "-c" option is only used when creating the initial file. Leave it off if you add new users in the future.

3. Apache then needs to be restarted for the changes to take effect. While still as root:

/etc/init.d/apache restart

4. Accessing ~<em class="highlight marker searchword-0">MythWeb</em> should now require a password.

5. If you are using a SOHO router and/or firewall, you'll need to allow incoming traffic to port 80, and point that traffic to the IP number of your KnoppMyth box.

5.a If you already have a system that external port 80 traffic is directed to, you may wish to forward traffic hitting your router/firewall on port 8000, or some port in the range of port 8000-8999 to your <em class="highlight marker searchword-0">MythWeb</em> server on port 80. The specifics for setting up this variety of port forwarding will vary from router/firewall to router/firewall.

Using .htaccess to set authentication for specific folders (in this case, ~<em class="highlight marker searchword-0">MythWeb</em>)

1. Use htpasswd to set up a password file as described above

2. Edit /etc/apache/conf/httpd.conf and change AllowOverride so Apache will <em class="highlight marker searchword-2">accept</em> and use .htaccess files. You can change AllowOverride to All, or be less permissive. You will need to change the AllowOverride for both "/" and for Apache in general.

3. Edit the /var/www/.htaccess that is distributed by KnoppMyth. The first four lines are commented out: uncomment them. The line that points at the password file should be changed to point to the file you created in Step 1.

4. Also, while you are editing .htaccess, change the line:

session.save_path = php_sessions

to:

session.save_path = /tmp

Otherwise, when you access web pages, you will receive an error about php_sessions and directories not existing.

This HOWTO was adapted from the following pages:
http://mysettopbox.tv/phpBB2/viewtopic.php?t=212
http://mysettopbox.tv/phpBB2/viewtopic.php?t=2378

Setting up SSH to securely "tunnel" port 80

1. Download and install an SSH client on your remote computer. For Windows machines, an excellent choice is PuTTY.

2. Configure your firewall/router to forward port 22 to your KnoppMyth box. If your firewall has the ability to change the external port number, I recommend you use an external port other than 22 to enhance security. One such open-source firewall is m0n0wall.

3. Make sure you have not used an obvious root password that is susceptable to dictionary attacks -- they are more frequent than you would believe!

4. Set up a tunnel in your SSH client by defining a forwarded port with a "source port" of 10080 and a "destination port" of "localhost:80". Check the "local" button at the bottom of the page if you're using PuTTY.

5. Log in to your KnoppMyth box using SSH. Once the client is connected, open a browser and point it to "http://localhost:10080" and it will open a tunnel to your <em class="highlight marker searchword-0">mythweb</em> server. Because we cleverly aliased the http port to something other than 80, we can still access "normal" internet stuff while the tunnel is open.

As a side benefit, remote SSH lets you perform critical maintenence operations like restarting the backend should it go wonky while you're away from home. You can also check on your box and monitor drive health (if you have set up smartmontools) or any other facet of your box.

Here is a great tutorial about SSH tunneling with a linksys wrt54g router http://hetos.de/sshtut.html

Note: aviManager and other documentation webpages will work with a different local port (http://localhost:10080 tunneled to port 80) but <em class="highlight marker searchword-0">MythWeb</em> seems to only work with http://localhost:80 tunneled to port 80.