httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jannetta S Steyn" <>
Subject [users@httpd] .htpasswd problems
Date Fri, 20 Apr 2007 05:56:40 GMT
Hi All

I'm not sure that I'm on exactly the correct mailing list here, but I figured it a good
place to start, even it is just to get someone to guide me in the right direction.

Some years ago I wrote web front-end for managing .htpasswd files. My client has been
using this for years. Everything is written in php and I use crypt without a seed to
encrypt the passwords. Basically what I do is to allow the user to create entries in the
.htadmin file. They can also manage the .htpasswd file by editing and deleting entries.
Everything worked very well for about 2 years at which point the passwords wouldn't work
anymore. I couldn't figure out what was wrong and the client's ISP would help finding
the fault and I couldn't reproduce the problem on my own servers.

I then moved everything onto my own servers and everything worked again for several
years. Unfortunately I then had to move onto rented web space where everything continued
to work for another year or so and now I'm experiencing the same problem again. When the
problem originally started I modified the scripts to keep a copy of the .htpasswd file
with open passwords and I added a menu item to allow the user to re-submit the password
file. The would encrypt all the passwords again and write them to the .htpasswd file and
things would work again for a few days.

Now however the thing breaks so often that we just can carry on resubmitting again. I
have once again moved everything onto my servers and since last night I discovered one
thing: If I use htpasswd to create an entry in a .htpasswd file, it will generate a
different hash for the password everytime you run it. However, when you log in, it
works, even thought the password in the .htpasswd file seemed to have change. My
question in the first place then is: How on earth does htpasswd manage to authenticate
if the password hash changes every time.

My understanding of how authentication work is that the password is saved as a md5 or
DES hash and when the user tries to log in he enters his clear password which is then
encrypted and compared with the hash in the password file. Surely though the two hashes
should be the same. If however a seed is used which is different every time the
encrypting is done then we'll get a different password every time and they should be
equal. Why then does apache still authenticate the user?

My second question is: Did the way htpasswd and apache work change at some stage, or why
did my scripts stop working after such a long time?

The project is available in sourceforge at I would really appreciate
any guidance on this problem.

Kind Regards

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message