Categories
Linux

Secure MythWeb with Mythbuntu 12.04

When you install the MythWeb module, the default security settings in Mythbuntu allow password-less access from anywhere. If you wish to be able to schedule (or watch) recordings when you are away from home then you may want to allow users on your local network to access the screens without a password, while requiring a password for connections from outside your network.

Tell Apache to require authentication for MythWeb

Open /etc/apache2/sites-enabled/mythweb.conf (remembering to gain root access) and find the commented out section that looks like this:

    ############################################################################
    # I *strongly* urge you to turn on authentication for MythWeb.  It is disabled
    # by default because it requires you to set up your own password file.  Please
    # see the man page for htdigest and then configure the following four directives
    # to suit your authentication needs.
    #
    #    AuthType           Digest
    #    AuthName           "MythTV"
    #    AuthUserFile       /var/www/htdigest
    #    Require            valid-user
    #    BrowserMatch       "MSIE"      AuthDigestEnableQueryStringHack=On
    #    Order              allow,deny

I am not convinced /var/www is a safe place to keep your htdigest file, so I changed that line to store it in /etc/mythtv/htdigest. I added an "Allow from 192.168.0." line to allow users with an ip address starting 192.168.0 to connect without a password, then a "Satisfy any" line to state that the page can only be served to an authenticated valid-user (from the Require line), or on the local network (from the Allow from line). This is what my final section looked like.

        AuthType           Digest
        AuthName           "MythTV"
    #    AuthUserFile       /var/www/htdigest
        AuthUserFile       /etc/mythtv/htdigest
        Require            valid-user
        BrowserMatch       "MSIE"      AuthDigestEnableQueryStringHack=On
        Order              allow,deny
        Allow from 192.168.0.
        Satisfy            any

Enable the Apache module which implements the Digest authentication method

You now must enable apache's auth_digest module using the a2enmod command.

sudo a2enmod auth_digest

If you forget to do this you will see errors like this in your apache error log when you attempt to connect from a non-local address:

[Mon Jul 09 23:27:21 2012] [crit] [client 69.163.149.163] configuration error:  couldn't check user.  Check your authn provider!: /mythweb

Choose a username and password for remote access

Assuming you used the same values for AuthUserFile and AuthName as I did) then you can add the first user to the password file:

sudo htdigest -c /etc/mythtv/htdigest MythTV username_to_add

The -c parameter creates a blank file so don't use it for any additional users you add. If you don't have htdigest installed, you may need to install the apache2-utils package (sudo apt-get install apache2-utils).

Ensure that only the apache server can read the password file:

sudo chown www-data /etc/mythtv/htdigest
sudo chmod 640 /etc/mythtv/htdigest

Tell Apache about the configuration changes

sudo service apache2 reload

It should now be safe to expose MythWeb to the outside world!

 

By ff

Systems software engineer with interests in C/C++/Rust on Linux, electronic music and games.

12 replies on “Secure MythWeb with Mythbuntu 12.04”

Thanks for the terrific instructions. There are so many out of date and mostly unhelpful pages for configuring mythweb's authentication, but yours is perfect.

You might want to add that if htdigest doesn't run as a command, people might have to install it via sudo apt-get install apache2-utils

I have been struggling with this until I stumbled upon this page. Thanks for the instructions and also thanks “Michael Cleland” for pointing out the sudo apt-get install apache2-utils command.

I got impatient and gave these instructions a try on MythBuntu 16.04 and I am happy to report that it seems to work fine.

Followed this, and I got an Apache "configuration" error, which, reflected in the apache logs gives:

"Could not open password file: /etc/mythtv/mythweb-digest"

Not sure why it was htdigest in the above, but I renamed it to mythweb-digest:

/etc/apache2/sites-available# mv htdigest mythweb-digest

All fixed now (ubuntu 16.04)

Leave a Reply to Ron Cancel reply

Your email address will not be published. Required fields are marked *