httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noel Butler <noel.but...@ausics.net>
Subject Re: mysql apache md5
Date Tue, 08 Mar 2011 02:31:04 GMT
On Mon, 2011-03-07 at 19:38 -0600, William A. Rowe Jr. wrote:

> On 3/7/2011 5:31 PM, Noel Butler wrote:
> > On Mon, 2011-03-07 at 13:51 +0100, Johan De Meersman wrote:
> >> Umm... I'm no crypto guru, but I've never heard of MD5 having variants, let
alone a salt. MD5 is MD5 is MD5. APR, incidentally, is the Apache Runtime, afaik - part of
the build kit for apache modules.
> >>
> >> I strongly suspect your problem is on another level.
> >>
> >>
> > 
> > Actually, he is correct. Though, the Apache variant of md5 is a chosen improved
security
> > method, it really shouldn't be called MD5 since it is not compatible with, well,
base MD5 :)
> > 
> > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html
> > 
> > MD5
> > 
> > "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times)
MD5
> > digest of various combinations of a random 32-bit salt and the password. See the
APR
> > source file apr_md5.c
> > <http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co>
for
> > the details of the algorithm.
> > 
> > 
> >       *MD5*
> > 
> > $ openssl passwd -apr1 myPassword
> > $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
> > 
> > 
> > I agree Apache should probably not be calling it MD5. Perhaps it needs renaming
and MD5 as
> > we all know it, be, MD5.
> > 
> > and for this reason I will xpost to devs list for some clear (maybe) explanation
as to why
> > it was called this.
> > 
> > I don't think Edward's questioning is unreasonable, given the popularity of LAMP
> > combination, they are touted to work hand in hand, but as he pointed out, they are
not,
> > even exampled by openssl wanting -apr1  not -md5 to be compatible, so I can see
how
> > this would be a problem with MySQL insert of md5(foo)  not be recognised by an Apache
md5
> > wanting.
> 
> But what does this have to do with httpd?  At best, you are suggesting a docs improvement.
> Otherwise this is on the language you are using and not an ASF issue... but the desired
> behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you a Perl
> example... and apache_md5_crypt() is unambiguous.
> 
> http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm
> 


That was a repost from  a mysql list...  the OP was saying md5 should be
md5, when using apache auth against an md5 hash as its auth mechanisms ,
it does not accept the md5 hash inserted into a DB, ie : using mysql
insert md5(foo)  it wont for the OP recognise it, when using
AuthDBDUserPWQuery.

In other words, if you claim to support MD5, it should read an inserted
md5 hash. But I will forward your post to the OP.




Mime
View raw message