httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 44578] New: mod_authn_dbd option to let database validate password
Date Tue, 11 Mar 2008 15:13:56 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=44578

           Summary: mod_authn_dbd option to let database validate password
           Product: Apache httpd-2
           Version: 2.2-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: PatchAvailable
          Severity: enhancement
          Priority: P2
         Component: Other Modules
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: Tom.Donovan@acm.org


Created an attachment (id=21651)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=21651)
httpd trunk (r628393) patch - also applies to 2.2.8 cleanly

It is a frequent problem that mod_authn_dbd cannot be used with existing SQL
databases because passwords are not stored in one of the Apache formats:
{$apr1$}, {SHA}, crypt (Unix), or plaintext (Windows/Netware).

This proposal is for an optional 2nd 'VALIDATE' argument to the
AuthDBDUserPWQuery directive which lets the database determine whether the
password is valid without relying on the APR password hashing functions.

The VALIDATE argument indicates that the plaintext password is passed as the
first query parameter and the username is passed as the second parameter.

When the first column of the first returned row is a non-zero number or "T" or
"TRUE" (case insensitive), the password is accepted - otherwise the password is
rejected.

Note that when no rows are returned, mod_authn_dbd already reports
AUTH_USER_NOT_FOUND.

A common example is when passwords are stored using the database provider's MD5
function which is incompatible with Apache encrypted password formats:

MySQL or PostgreSQL:
  AuthDBDUserPWQuery \
  "SELECT (password = MD5(%s)) FROM users WHERE username = %s"  \
  VALIDATE

SQLServer:
  AuthDBDUserPWQuery \
  "SELECT CASE password WHEN HashBytes('MD5', %s) THEN 1 ELSE 0 END \
  FROM users WHERE username = %s" \
  VALIDATE

Oracle 10g:
  AuthDBDUserPWQuery \
  "SELECT CASE WHEN DBMS_CRYPTO.HASH(RAWTOHEX(%s),2) = password THEN 1 ELSE 0
END \
  FROM users WHERE username = %s"  \
  VALIDATE

The password is passed as the 1st parameter and the username as the 2nd
parameter because this order makes constructing the SQL statement considerably
easier, since the username is almost always used in a SQL predicate clause.

All SQL databases which support boolean values cast them to strings as "0" or
"1"; "t" or "f"; or "TRUE" or "FALSE".

This option is not useful for digest authentication because Apache does not
have the plaintext password when digest authentication is used.

It may be good to note in the documentation that the security of the database
connection and database SQL logging should be considered when a plaintext
password is passed to the database using the VALIDATE option.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message