[pmwiki-users] authuser

Patrick R. Michaud pmichaud at pobox.com
Tue Jun 21 15:25:33 CDT 2005


On Tue, Jun 21, 2005 at 12:51:38PM -0700, H. Fox wrote:
> The script didn't work on my system at first because I use md5
> encryption in my .htpasswords file.  In other words, setting the
> password with
>     htpasswd -nmb SomeUser somepw >>local/.htpasswd
> does not work, but
>     htpasswd -nb SomeUser somepw >>local/.htpasswd
> does.  My system passwords are also md5, so I presume the results
> would be the same for a passwd.local file.

Alas, alas, it turns out that Apache uses a non-standard MD5
hash algorithm for its encrypted passwords, and PHP's crypt()
function doesn't recognize it.  PHP's crypt *does* recognize
the standard SHA1 encryption that is used in most passwd
files (e.g., passwd.local), so that shouldn't pose a problem.

So, here are some examples:

[pmichaud at pmichaud pmichaud]$ htpasswd -nb pmichaud secret   # DES
pmichaud:LFBcYjavw1w2k

[pmichaud at pmichaud pmichaud]$ htpasswd -nmb pmichaud secret  # Apache-MD5
pmichaud:$apr1$DFU2h/..$vl4DGt38iGQjuj6gi1Ivb0

[pmichaud at pmichaud pmichaud]$ htpasswd -nsb pmichaud secret  # SHA1
pmichaud:{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=

[pmichaud at pmichaud pmichaud]$ sudo grep pmichaud /etc/shadow # MD5
pmichaud:$1$2WDqSXeA$.xczdbWqfTa3F8PIZHPeM/:12805:0:99999:7:::

You can see that Apache's MD5 encryption is different (prefix 
'$apr1$') from the standard md5 encryption (prefix '$1$').  Even
the apache docs say that it's non-standard (man htpasswd):

    The MD5 algorithm used by htpasswd is specific to the 
    Apache software; passwords encrypted using it will not 
    be usable with other Web servers.

Anyway, it looks like it'll work fine with system password files
using MD5 encryption, or with files produced by htpasswd using 
DES or SHA encryption.  I'll have to see if I can come up with
a way to check Apache's modified MD5 encryption.

Pm



More information about the pmwiki-users mailing list