First of all you shouldn't be putting that configuration (the rewrite rules) in .htaccess files, you should be putting it in the main configuration file under a Directory section (assuming you have access to that file). The Apache docs explain why.
You should check that you have the correct AllowOverride settings. If it's all setup correctly, having the .htaccess file you specified sitting in the mysite/f folder should be enough to password protect it.
Don't use a password. Generate a passphrase-less SSH key and push it to your VM.
If you already have an SSH key, you can skip this step…
Just hit Enter for the key and both passphrases:
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
Copy your keys to the target server:
$ ssh-copy-id id@server
id@server's password:
Now try logging into the machine, with ssh 'id@server', and check-in:
.ssh/authorized_keys
Note: If you don't have .ssh dir and authorized_keys file, you need to create it first
to make sure we haven’t added extra keys that you weren’t expecting.
Finally, check to log in…
$ ssh id@server
id@server:~$
You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.
Best Answer
You can absolutely use .htaccess to restrict access, but I don't know of any way to avoid creating an equivalent .htpasswd file if you want to control access via users and passwords, rather than whitelisted IP addresses or similar.
Now, you can create any number of .htpasswd files; so if you wanted a specific one for a specific directory, that would be easy to set up by creating the .htpasswd file using:
then specifying it using the "AuthUserFile" directive in your .htaccess file.