[Pmwiki-users] unix crypt passwords vs. md5 hash

[Patrick R. Michaud]

On Tue, Apr 20, 2004 at 03:18:08PM -0400, Kass Lloyd wrote:
> This topic was brought to my mind when I installed Pmwiki on a machine
> running PHP as a cgi instead of an apache module. The unix crypt feature
> apparently is broken for cgi implementations of PHP including the most
> recent version of PHP4.

Without reflecting on the merits of your other suggestions, are you
certain that crypt() is the problem here?  Is this documented somewhere?
I've seen and used a lot of cgi implementations of PHP that have no 
problem with the crypt function.  In particular, if crypt() didn't work
under CGI implementations I'd expect it to appear in the PHP documentation
or comments somewhere, which it doesn't.  So, I'd like to see a test
script installed somewhere that clearly demonstrates that crypt is
broken.  

OTOH, many cgi implementations *do* have problems with PmWiki's use 
of the HTTP Basic authentication protocol because the username/password
information is generally not available to PmWiki when PHP is used as a
CGI.  In these cases one has to use the scripts/sessionauth.php script 
in order to perform passwording, and here, the crypt function works just
fine.

So, before I jump to switching the encryption algorithm PmWiki uses to store
passwords, which may cause some headaches for existing installations, 
let's make sure it really *is* a problem that needs to be solved.  :-)  
It may simply be that PmWiki needs to default to using (an improved) 
sessionauth.php and allow HTTP authentication as an option.

Also, since this is all very closely related to the issues of providing
user login and/or user preference capabilities in PmWiki, I think I'd 
prefer to make a change in PmWiki's encryption mechanism as part of
adding/changing those features, rather than as a separate standalone
modification.

Thanks,

Pm