httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arun Jacob" <jacob.a...@gmail.com>
Subject [users@httpd] htadm and htpasswd
Date Wed, 26 Apr 2006 12:52:15 GMT
Background
=====================
Currently, we have an web application running on an OS/390 mainframe under
mainframe Unix Shared Services. The webserver is IBM HTTP Server, which is a
rebranded version of Apache.

This application is being migrated to AIX.

Currently in the mainframe, the password hashing and verification is being
done by a utility called HTADM that comes with IBM HTTP Server on OS/390.
For generating a hash of a plaintext_pwd, HTADM uses the Unix crypt(3) with
a random 2 char salt. 1st 2 chars of the generated hash is the salt.
To verify a cleartext_pwd against the stored hash_pwd for a user, HTADM
takes the 1st 2 chars of the hash as the salt and passes it with the
cleartext_pwd to crypt(3) to generate another hash. This hash should be the
same as the stored hash

My questions
======================
>> HTADM is not available on IBM HTTP Server for Apache. How can I get it?
I can find only htpasswd, which is limited in functionality compared to
htadm

>> htpasswd limitation is that it cannot verify a password to one that is
passed to it. At least the parameters dont have the option. Is there a way
to use htpasswd to verify a stored password

>> I got a set of cleartext_pwd ----> hash mappings generated on the OS/390
using HTADM. Now i tried to verify if I could get the same hash using a
separate implementation of crypt(3) found on this website.
http://javascript.internet.com/passwords/unix-crypt(3)-encryption.html
But the hash generated using this separate implementation does not match.

So is crypt(3) implemented differently on OS/390 comapred to AIX and other
Unix OS's.


Thanks in advance

Mime
View raw message