httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pete Nelson" <pete.nel...@ci.stpaul.mn.us>
Subject RE: basic authentication in apache 1.3.19 ignoring more than 8characters in the password.
Date Tue, 16 Apr 2002 14:25:49 GMT
Owen's absolutely right - sorry I didn't see this.  With crypt, it all
characters beyond the first 8 are meaningless.  However, with MD5 (the
-m) option, my 19 character password was preserved.  I didn't have any
password mismatch error, but I did have to shut down my browser before
attempting to reconnect (so it no longer recognized the realm).  I also
restarted my web server between tests.

After restarting my browser, I tried logging in with 'thisisal' and
'thisisalargepassword', and I was re-prompted for the password.  When I
entered 'thisisalongpassword', it worked.

Note that these last tests were just on Apache 1.3.22/RedHat 6.2. 
(Apache 1.3.24/Win2k forces MD5, unless you specify SHA (-s) - there is
no crypt on Win32). 

--
Pete Nelson, Web Developer
<pete.nelson@ci.stpaul.mn.us>
http://www.ci.stpaul.mn.us/

>>> milind.sawant@skandiabank.ch 04/16/02 09:04AM >>>
Hi

thanks for your concern

The Basic Authentication in apache uses the htpasswd utility to
generate
passwords.

A) The default option is -d ( Force CRYPT encryption of the password )
.
	you can create a password of more that 8 characters.
	But only the first 8 characters are relevant.
	as owen boyle has righly pointed out , if "xxxxxxxxYBDCDC" is
your password
and on authentication
	if you supply "xxxxxxxxADBDD" as the password , you can log in.

B) Using other options like -m (MD5 encryption ) and -s (SHA encyption)
dont
work.
	i can generate the password but get a password mismatch error
on
authentication.


Do you have the same experience?


Milind

Milind Sawant
Web Administrator (Apollo)
TCS

+0041 1 288 4675


-----Original Message-----
From: obo@bourse.ch [mailto:obo@bourse.ch] 
Sent: 16 April 2002 15:28
To: users@httpd.apache.org 
Subject: Re: basic authentication in apache 1.3.19 ignoring more than
8characters in the password.


Pete Nelson wrote:
>
> I just tested this on Apache 1.3.22 on RedHat 6.2 and Apache 1.3.24
on
> Win2k, and both happily took a 19-character password
> (thisisalongpassword).  I am pretty confident that it should also
work
> on Apache 1.3.19 on most platforms.

Did you test whether all the characters were significant? AFAIK,
apache
uses the system passwd utility which is sensitive only to the first 8
chars. You can put in more if you like but they are not significant.
In
other words, "thisisalongpassword" and "thisisalxxxxxxxxx" are the
same.

Rgds,

Owen Boyle.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message