httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Swift" <steve.j.sw...@gmail.com>
Subject Re: [users@httpd] .htpasswd problems
Date Fri, 20 Apr 2007 06:06:54 GMT
Using htpasswd to control passwords in the .htpasswd file has always
resulted in varying values for the same password. This is a standard
encryption technique. It doesn't matter what gets stored as long as the
decrypted value matches the password. A simple mechanism could use 256
different encryption methods, with the one used stored in the first byte of
the encrypted results.

On 20/04/07, Jannetta S Steyn <jannetta@henning.org> wrote:
>
> Hi All
>
> I'm not sure that I'm on exactly the correct mailing list here, but I
> figured it a good
> place to start, even it is just to get someone to guide me in the right
> direction.
>
> Some years ago I wrote web front-end for managing .htpasswd files. My
> client has been
> using this for years. Everything is written in php and I use crypt without
> a seed to
> encrypt the passwords. Basically what I do is to allow the user to create
> entries in the
> .htadmin file. They can also manage the .htpasswd file by editing and
> deleting entries.
> Everything worked very well for about 2 years at which point the passwords
> wouldn't work
> anymore. I couldn't figure out what was wrong and the client's ISP would
> help finding
> the fault and I couldn't reproduce the problem on my own servers.
>
> I then moved everything onto my own servers and everything worked again
> for several
> years. Unfortunately I then had to move onto rented web space where
> everything continued
> to work for another year or so and now I'm experiencing the same problem
> again. When the
> problem originally started I modified the scripts to keep a copy of the
> .htpasswd file
> with open passwords and I added a menu item to allow the user to re-submit
> the password
> file. The would encrypt all the passwords again and write them to the
> .htpasswd file and
> things would work again for a few days.
>
> Now however the thing breaks so often that we just can carry on
> resubmitting again. I
> have once again moved everything onto my servers and since last night I
> discovered one
> thing: If I use htpasswd to create an entry in a .htpasswd file, it will
> generate a
> different hash for the password everytime you run it. However, when you
> log in, it
> works, even thought the password in the .htpasswd file seemed to have
> change. My
> question in the first place then is: How on earth does htpasswd manage to
> authenticate
> if the password hash changes every time.
>
> My understanding of how authentication work is that the password is saved
> as a md5 or
> DES hash and when the user tries to log in he enters his clear password
> which is then
> encrypted and compared with the hash in the password file. Surely though
> the two hashes
> should be the same. If however a seed is used which is different every
> time the
> encrypting is done then we'll get a different password every time and they
> should be
> equal. Why then does apache still authenticate the user?
>
> My second question is: Did the way htpasswd and apache work change at some
> stage, or why
> did my scripts stop working after such a long time?
>
> The project is available in sourceforge at
> http://sourceforge.net/project/showfiles.php?group_id=62350. I would
> really appreciate
> any guidance on this problem.
>
> Kind Regards
> Jannetta
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
Steve Swift
http://www.swiftys.org.uk

Mime
View raw message