Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7C990F2B6 for ; Thu, 2 May 2013 18:19:35 +0000 (UTC) Received: (qmail 81749 invoked by uid 500); 2 May 2013 18:19:32 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 81695 invoked by uid 500); 2 May 2013 18:19:32 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 81687 invoked by uid 99); 2 May 2013 18:19:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 May 2013 18:19:32 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of ben@indietorrent.org designates 205.186.134.222 as permitted sender) Received: from [205.186.134.222] (HELO indietorrent.org) (205.186.134.222) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 May 2013 18:19:26 +0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by indietorrent.org (Postfix) with ESMTP id 537262838049 for ; Thu, 2 May 2013 11:19:05 -0700 (PDT) Received: from indietorrent.org ([127.0.0.1]) by localhost (indietorrent.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kG17rbi-AzVY for ; Thu, 2 May 2013 11:19:04 -0700 (PDT) Received: from [127.0.0.1] (cpe-74-75-234-205.maine.res.rr.com [74.75.234.205]) (Authenticated sender: ben@indietorrent.org) by indietorrent.org (Postfix) with ESMTPSA id 6F4506A3002A for ; Thu, 2 May 2013 11:19:04 -0700 (PDT) Message-ID: <5182AE17.3000109@indietorrent.org> Date: Thu, 02 May 2013 14:19:03 -0400 From: Ben Johnson User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5 MIME-Version: 1.0 To: users@httpd.apache.org References: In-Reply-To: X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Antivirus: avast! (VPS 130502-0, 05/02/2013), Outbound message X-Antivirus-Status: Clean X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Does Apache htpasswd using md5 match the PHP md5 function result? On 5/2/2013 1:50 PM, Bo Berglund wrote: > I am trying to understand the use of MD5 as passwords for Apache, > previously I have always used CRYPT:ed passwords in my .htpasswd file. > Because Apache on Windows does not allow CRYPT:ed passwords (see > earlier thread) I am investigating the MD5 possibility. > The problem I have is that I need to let my code generate the hashes > written to the .htpasswd file in such a way that Apache will be OK > with them. > When reading the PHP documentation I find that the output of the md5() > function is a 32 byte hex string. > But the hash generated by the Apache htpasswd command on Windows > produces hashes like this: > $apr1$44sXxXbW$ZUtMUVZGDp1wSR6dEFguq0 > > As you can see this is clearly NOT a hex string at all!!! > > So is it possible with PHP to generate the .htpasswd file in a format > that comlies with what Apache needs? > > And can PHP check if a password hash matches the user supplied > password after it has been hashed using MD5? > > Hi again, Bo, Yes, it is possible for PHP to generate the .htpasswd file by calling a standalone binary directly (e.g., with proc_open() or other functions in the same family). Likewise, PHP can validate the hash using the same method. >From the manual page that I cited in a previous response ( http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic ): ----------------------------------------------------------------------- "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file apr_md5.c for the details of the algorithm. [...] Generating values with htpasswd MD5 $ htpasswd -nbm myName myPassword myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ [...] Generating CRYPT and MD5 values with the OpenSSL command-line program OpenSSL knows the Apache-specific MD5 algorithm. MD5 $ openssl passwd -apr1 myPassword $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 [...] Validating CRYPT or MD5 passwords with the OpenSSL command line program The salt for an MD5 password is between $apr1$ and the following $ (as a Base64-encoded binary value - max 8 chars). To validate myPassword against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ MD5 $ openssl passwd -apr1 -salt r31..... myPassword $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ ----------------------------------------------------------------------- So, at a minimum, it seems that you should be able to generate Apache-readable hashes using the either the Apache-provided utility binary, htpasswd, or the "openssl" binary. Given that openssl is available for most (or all) platforms, including Windows, one of the two should be sufficient. I grabbed openSSL from http://slproweb.com/products/Win32OpenSSL.html . Trying htpasswd first: Generate password: htpasswd -nbm myName myPassword myName:$apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1 Validate password: openssl passwd -apr1 -salt QF/F.cm5 myPassword $apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1 (the hashes match; the password is valid) Trying openssl next: openssl passwd -apr1 myPassword $apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/ openssl passwd -apr1 -salt f/X4Z7kl myPassword $apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/ (the hashes match; the password is valid) This should be everything you need. -Ben --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org