httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Johnson <...@indietorrent.org>
Subject Re: [users@httpd] Re: Cannot get Apache 2 basic authentication working with CRYPT on Win7
Date Tue, 30 Apr 2013 16:33:07 GMT


On 4/30/2013 11:55 AM, Bo Berglund wrote:
> On Tue, 30 Apr 2013 11:36:47 -0400, Ben Johnson <ben@indietorrent.org>
> wrote:
> 
>>> Well,
>>> I cannot easily change the authentication method at all because the
>>> "real" website uses CRYPT passwords and we also have a lot of software
>>> in-house that updates these .htpasswd files with new user logins when
>>> new customers are granted access to the protected parts of the site.
>>
>> Ah, I see. Yes, then the only short-term solution seems to be to resolve
>> the issue with .htpasswd files on Windows.
> 
> What I can do is to replace the .htpasswd file with for example
> passwords in the .htaccess file and then put a few known test users
> into that using the htpasswd command, which generates md5 hashes.
> Then I can use the test site on my PC and the only thing I must not do
> is commit the changed .htaccess file to CVS....

Sounds good to me.

>> Nonetheless, you might suggest migrating the "live" server to some form
>> of database authentication in the future. It would be much simpler for
>> your in-house software to maintain and update a single database table,
>> rather than potentially hundreds of .htpassword and .htaccess files.
> 
> I guess so, but then I first have to get comfortable using databases
> on the website...

Understood.

>>> I have no idea how I could generate MD5 passwords in my software so I
>>> am stuck with CRYPT (which I can create).
>>> Note that if this is changed I need to do the same on all of the
>>> protected folders on the real site...
>>
>> Generating MD5 passwords should be trivial in any environment. If you
>> have a specific scripting language or similar, I'd be happy to provide
>> examples. However, based on what you say above, changing from CRYPT to
>> MD5 sounds like as much or more work as getting CRYPT to work on Windows.
> 
> I could probably call the Apache htpasswd program from within my own
> program and supply it with parameter -c to create a new file and then
> I read that back. Like this:
> htpasswd.exe -cb passwordfile username password
> 
>>
>> I wouldn't go that far. There has to be a way to make CRYPT work on
>> Windows. I'll do some more research (and attempt to get this working on
>> my own machine) and provide an update.
>>
> 
> The problem is getting Apache on Win7 to recognize CRYPT:ed passwords.
> Creating them is no big deal, I already have software components for
> that. But getting Apache to read them is....

Ah, right. Well, it seems that I stand corrected: it does *not* seem to
be possible to make Apache read crypted passwords on Windows:

http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic

CRYPT
Unix only. Uses the traditional Unix crypt(3) function with a
randomly-generated 32-bit salt (only 12 bits used) and the first 8
characters of the password.

> I cannot understand why they left that out of Apache when compiling
> for Windows....
> 
> 

I'm sure there is a good reason. I have yet to see ASF do anything
without one.

Maybe someone else can articulate the rationale.

Bummer!

-Ben

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message