[pmwiki-users] authuser

H. Fox haganfox at gmail.com
Tue Jun 21 15:45:15 CDT 2005 

Thank you for the detailed answer.  I'll switch to SHA1, which is
presumably superior to DES.

Hagan

On 6/21/05, Patrick R. Michaud <pmichaud at pobox.com> wrote:
> On Tue, Jun 21, 2005 at 12:51:38PM -0700, H. Fox wrote:
> > The script didn't work on my system at first because I use md5
> > encryption in my .htpasswords file.  In other words, setting the
> > password with
> >     htpasswd -nmb SomeUser somepw >>local/.htpasswd
> > does not work, but
> >     htpasswd -nb SomeUser somepw >>local/.htpasswd
> > does.  My system passwords are also md5, so I presume the results
> > would be the same for a passwd.local file.
> 
> Alas, alas, it turns out that Apache uses a non-standard MD5
> hash algorithm for its encrypted passwords, and PHP's crypt()
> function doesn't recognize it.  PHP's crypt *does* recognize
> the standard SHA1 encryption that is used in most passwd
> files (e.g., passwd.local), so that shouldn't pose a problem.
> 
> So, here are some examples:
> 
> [pmichaud at pmichaud pmichaud]$ htpasswd -nb pmichaud secret   # DES
> pmichaud:LFBcYjavw1w2k
> 
> [pmichaud at pmichaud pmichaud]$ htpasswd -nmb pmichaud secret  # Apache-MD5
> pmichaud:$apr1$DFU2h/..$vl4DGt38iGQjuj6gi1Ivb0
> 
> [pmichaud at pmichaud pmichaud]$ htpasswd -nsb pmichaud secret  # SHA1
> pmichaud:{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
> 
> [pmichaud at pmichaud pmichaud]$ sudo grep pmichaud /etc/shadow # MD5
> pmichaud:$1$2WDqSXeA$.xczdbWqfTa3F8PIZHPeM/:12805:0:99999:7:::
> 
> You can see that Apache's MD5 encryption is different (prefix
> '$apr1$') from the standard md5 encryption (prefix '$1$').  Even
> the apache docs say that it's non-standard (man htpasswd):
> 
>     The MD5 algorithm used by htpasswd is specific to the
>     Apache software; passwords encrypted using it will not
>     be usable with other Web servers.
> 
> Anyway, it looks like it'll work fine with system password files
> using MD5 encryption, or with files produced by htpasswd using
> DES or SHA encryption.  I'll have to see if I can come up with
> a way to check Apache's modified MD5 encryption.
> 
> Pm
>

More information about the pmwiki-users mailing list