[pmwiki-users] authuser
H. Fox
haganfox at gmail.com
Tue Jun 21 15:45:15 CDT 2005
Thank you for the detailed answer. I'll switch to SHA1, which is
presumably superior to DES.
Hagan
On 6/21/05, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Tue, Jun 21, 2005 at 12:51:38PM -0700, H. Fox wrote:
> > The script didn't work on my system at first because I use md5
> > encryption in my .htpasswords file. In other words, setting the
> > password with
> > htpasswd -nmb SomeUser somepw >>local/.htpasswd
> > does not work, but
> > htpasswd -nb SomeUser somepw >>local/.htpasswd
> > does. My system passwords are also md5, so I presume the results
> > would be the same for a passwd.local file.
>
> Alas, alas, it turns out that Apache uses a non-standard MD5
> hash algorithm for its encrypted passwords, and PHP's crypt()
> function doesn't recognize it. PHP's crypt *does* recognize
> the standard SHA1 encryption that is used in most passwd
> files (e.g., passwd.local), so that shouldn't pose a problem.
>
> So, here are some examples:
>
> [pmichaud at pmichaud pmichaud]$ htpasswd -nb pmichaud secret # DES
> pmichaud:LFBcYjavw1w2k
>
> [pmichaud at pmichaud pmichaud]$ htpasswd -nmb pmichaud secret # Apache-MD5
> pmichaud:$apr1$DFU2h/..$vl4DGt38iGQjuj6gi1Ivb0
>
> [pmichaud at pmichaud pmichaud]$ htpasswd -nsb pmichaud secret # SHA1
> pmichaud:{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
>
> [pmichaud at pmichaud pmichaud]$ sudo grep pmichaud /etc/shadow # MD5
> pmichaud:$1$2WDqSXeA$.xczdbWqfTa3F8PIZHPeM/:12805:0:99999:7:::
>
> You can see that Apache's MD5 encryption is different (prefix
> '$apr1$') from the standard md5 encryption (prefix '$1$'). Even
> the apache docs say that it's non-standard (man htpasswd):
>
> The MD5 algorithm used by htpasswd is specific to the
> Apache software; passwords encrypted using it will not
> be usable with other Web servers.
>
> Anyway, it looks like it'll work fine with system password files
> using MD5 encryption, or with files produced by htpasswd using
> DES or SHA encryption. I'll have to see if I can come up with
> a way to check Apache's modified MD5 encryption.
>
> Pm
>
More information about the pmwiki-users
mailing list