httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Johnson <...@indietorrent.org>
Subject Re: [users@httpd] Does Apache htpasswd using md5 match the PHP md5 function result?
Date Thu, 02 May 2013 18:19:03 GMT


On 5/2/2013 1:50 PM, Bo Berglund wrote:
> I am trying to understand the use of MD5 as passwords for Apache,
> previously I have always used CRYPT:ed passwords in my .htpasswd file.
> Because Apache on Windows does not allow CRYPT:ed passwords (see
> earlier thread) I am investigating the MD5 possibility.
> The problem I have is that I need to let my code generate the hashes
> written to the .htpasswd file in such a way that Apache will be OK
> with them.
> When reading the PHP documentation I find that the output of the md5()
> function is a 32 byte hex string.
> But the hash generated by the Apache htpasswd command on Windows
> produces hashes like this:
> $apr1$44sXxXbW$ZUtMUVZGDp1wSR6dEFguq0
> 
> As you can see this is clearly NOT a hex string at all!!!
> 
> So is it possible with PHP to generate the .htpasswd file in a format
> that comlies with what Apache needs?
> 
> And can PHP check if a password hash matches the user supplied
> password after it has been hashed using MD5?
> 
> 

Hi again, Bo,

Yes, it is possible for PHP to generate the .htpasswd file by calling a
standalone binary directly (e.g., with proc_open() or other functions in
the same family).

Likewise, PHP can validate the hash using the same method.

>From the manual page that I cited in a previous response (
http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic ):

-----------------------------------------------------------------------
"$apr1$" + the result of an Apache-specific algorithm using an iterated
(1,000 times) MD5 digest of various combinations of a random 32-bit salt
and the password. See the APR source file apr_md5.c for the details of
the algorithm.

[...]

Generating values with htpasswd

MD5

$ htpasswd -nbm myName myPassword
myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

[...]

Generating CRYPT and MD5 values with the OpenSSL command-line program

OpenSSL knows the Apache-specific MD5 algorithm.

MD5

$ openssl passwd -apr1 myPassword
$apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0

[...]

Validating CRYPT or MD5 passwords with the OpenSSL command line program

The salt for an MD5 password is between $apr1$ and the following $ (as a
Base64-encoded binary value - max 8 chars). To validate myPassword
against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

MD5

$ openssl passwd -apr1 -salt r31..... myPassword
$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

-----------------------------------------------------------------------

So, at a minimum, it seems that you should be able to generate
Apache-readable hashes using the either the Apache-provided utility
binary, htpasswd, or the "openssl" binary. Given that openssl is
available for most (or all) platforms, including Windows, one of the two
should be sufficient.

I grabbed openSSL from http://slproweb.com/products/Win32OpenSSL.html .

Trying htpasswd first:

Generate password:

htpasswd -nbm myName myPassword
myName:$apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1

Validate password:

openssl passwd -apr1 -salt QF/F.cm5 myPassword
$apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1

(the hashes match; the password is valid)

Trying openssl next:

openssl passwd -apr1 myPassword
$apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/

openssl passwd -apr1 -salt f/X4Z7kl myPassword
$apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/

(the hashes match; the password is valid)

This should be everything you need.

-Ben



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message