httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Johnson <...@indietorrent.org>
Subject Re: [users@httpd] Does Apache htpasswd using md5 match the PHP md5 function result?
Date Thu, 02 May 2013 18:46:36 GMT


On 5/2/2013 2:19 PM, Ben Johnson wrote:
> 
> 
> On 5/2/2013 1:50 PM, Bo Berglund wrote:
>> I am trying to understand the use of MD5 as passwords for Apache,
>> previously I have always used CRYPT:ed passwords in my .htpasswd file.
>> Because Apache on Windows does not allow CRYPT:ed passwords (see
>> earlier thread) I am investigating the MD5 possibility.
>> The problem I have is that I need to let my code generate the hashes
>> written to the .htpasswd file in such a way that Apache will be OK
>> with them.
>> When reading the PHP documentation I find that the output of the md5()
>> function is a 32 byte hex string.
>> But the hash generated by the Apache htpasswd command on Windows
>> produces hashes like this:
>> $apr1$44sXxXbW$ZUtMUVZGDp1wSR6dEFguq0
>>
>> As you can see this is clearly NOT a hex string at all!!!
>>
>> So is it possible with PHP to generate the .htpasswd file in a format
>> that comlies with what Apache needs?
>>
>> And can PHP check if a password hash matches the user supplied
>> password after it has been hashed using MD5?
>>
>>
> 
> Hi again, Bo,
> 
> Yes, it is possible for PHP to generate the .htpasswd file by calling a
> standalone binary directly (e.g., with proc_open() or other functions in
> the same family).
> 
> Likewise, PHP can validate the hash using the same method.
> 
>>From the manual page that I cited in a previous response (
> http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic ):
> 
> -----------------------------------------------------------------------
> "$apr1$" + the result of an Apache-specific algorithm using an iterated
> (1,000 times) MD5 digest of various combinations of a random 32-bit salt
> and the password. See the APR source file apr_md5.c for the details of
> the algorithm.
> 
> [...]
> 
> Generating values with htpasswd
> 
> MD5
> 
> $ htpasswd -nbm myName myPassword
> myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
> 
> [...]
> 
> Generating CRYPT and MD5 values with the OpenSSL command-line program
> 
> OpenSSL knows the Apache-specific MD5 algorithm.
> 
> MD5
> 
> $ openssl passwd -apr1 myPassword
> $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
> 
> [...]
> 
> Validating CRYPT or MD5 passwords with the OpenSSL command line program
> 
> The salt for an MD5 password is between $apr1$ and the following $ (as a
> Base64-encoded binary value - max 8 chars). To validate myPassword
> against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
> 
> MD5
> 
> $ openssl passwd -apr1 -salt r31..... myPassword
> $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
> 
> -----------------------------------------------------------------------
> 
> So, at a minimum, it seems that you should be able to generate
> Apache-readable hashes using the either the Apache-provided utility
> binary, htpasswd, or the "openssl" binary. Given that openssl is
> available for most (or all) platforms, including Windows, one of the two
> should be sufficient.
> 
> I grabbed openSSL from http://slproweb.com/products/Win32OpenSSL.html .
> 
> Trying htpasswd first:
> 
> Generate password:
> 
> htpasswd -nbm myName myPassword
> myName:$apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1
> 
> Validate password:
> 
> openssl passwd -apr1 -salt QF/F.cm5 myPassword
> $apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1
> 
> (the hashes match; the password is valid)
> 
> Trying openssl next:
> 
> openssl passwd -apr1 myPassword
> $apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/
> 
> openssl passwd -apr1 -salt f/X4Z7kl myPassword
> $apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/
> 
> (the hashes match; the password is valid)
> 
> This should be everything you need.
> 
> -Ben

P.S. I advise you not to try to write-out your htpasswd files using pure
PHP. It seems much more sound to use the Apache-provided utility
executables to manipulate htpasswd and related files.

In other words, use PHP's proc_open() or similar to call the appropriate
utility to manipulate the Apache files. I think you would have a hell of
a time trying to recreate in PHP all the functionality that *already
exists* in those utilities.

Good luck

-Ben

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message