Patrick R. Michaud
pmichaud at pobox.com
Tue Jun 21 15:25:33 CDT 2005
On Tue, Jun 21, 2005 at 12:51:38PM -0700, H. Fox wrote:
> The script didn't work on my system at first because I use md5
> encryption in my .htpasswords file. In other words, setting the
> password with
> htpasswd -nmb SomeUser somepw >>local/.htpasswd
> does not work, but
> htpasswd -nb SomeUser somepw >>local/.htpasswd
> does. My system passwords are also md5, so I presume the results
> would be the same for a passwd.local file.
Alas, alas, it turns out that Apache uses a non-standard MD5
hash algorithm for its encrypted passwords, and PHP's crypt()
function doesn't recognize it. PHP's crypt *does* recognize
the standard SHA1 encryption that is used in most passwd
files (e.g., passwd.local), so that shouldn't pose a problem.
So, here are some examples:
[pmichaud at pmichaud pmichaud]$ htpasswd -nb pmichaud secret # DES
[pmichaud at pmichaud pmichaud]$ htpasswd -nmb pmichaud secret # Apache-MD5
[pmichaud at pmichaud pmichaud]$ htpasswd -nsb pmichaud secret # SHA1
[pmichaud at pmichaud pmichaud]$ sudo grep pmichaud /etc/shadow # MD5
You can see that Apache's MD5 encryption is different (prefix
'$apr1$') from the standard md5 encryption (prefix '$1$'). Even
the apache docs say that it's non-standard (man htpasswd):
The MD5 algorithm used by htpasswd is specific to the
Apache software; passwords encrypted using it will not
be usable with other Web servers.
Anyway, it looks like it'll work fine with system password files
using MD5 encryption, or with files produced by htpasswd using
DES or SHA encryption. I'll have to see if I can come up with
a way to check Apache's modified MD5 encryption.
More information about the pmwiki-users