Though your ~/public_html/.htaccess seems OK, and you double-checked your auth* directives matched the apache documentation samples, you still get unauthenticated web access to the directory you're trying to protect in you userdir...

(Spend loads of time testing various possibilities...)

(Find nothing, read the doc again, check everything again...)

In the end, you'll be lucky when you'll link the following pieces together, from the apache 2.0 doc and your debian package default install files, and find out the issue comes from the debian default install that looks like it allows for .htaccess files in your user directories, though it eventually doesn't:

  • The documentation's troubleshooting .htaccess section reads: Most commonly, the problem is that AllowOverride is not set such that your configuration directives are being honored.
  • The documentation's AllowOverride Directive section reads: AllowOverride is valid only in <Directory> sections specified without regular expressions [...].
  • The default /etc/apache2/mods-enabled/userdir.conf file, from the debian 3.1 apache2 package, reads:
            <Directory /home/*/public_html>
                AllowOverride FileInfo AuthConfig Limit
                Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
        </Directory>
    (noticed the *star* ? remember the thing about not being allow to AllowOverride in a directory with regular expressions )

So what ?
Tell me if I jumped to the wrong conclusion, but it seems to me that:

  1. The userdir.conf is kind of a liar: the whole <Directory> has no effect at all: actually it should be removed, to make it clear that .htaccess (or whatever other AccessFileName you gave them), well .htaccess files will NOT be read in your user directories.
  2. If you need that feature, you will need to create full-path <Directory> sections for each user directory where you need .htaccess files to be enabled.
    ...and don't forget you may still need to (carefully!) AllowOverride in these <Directory> sections whatever is necessary for the directives you trust the .htaccess files to manage.

Hope either this helps, or I missed a point.
Anyway, Cheers debian developpers! This article was meant to help, and not to blame.
But I'd very like that stuff to be either confirmed or infirmed, so that I can either file a bug, or spread ashes on my head for being stupid in public ;-)