>Number: 4823
>Category: mod_auth-any
>Synopsis: crypt() unavailable on Win32 during Authentification process
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Thu Aug 5 07:10:00 PDT 1999
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3.6 (WIN32)
>Environment:
OS : Windows95 - OSR2
Apache : binary file release 1.3.6 issued from Apache Org. servers
>Description:
After configuring Apache in a windows95 environment for supporting user
authentification
a "authorization failed" pop up box is displayed when required.
The error logged is :
"...user user_name: authentication failure for "/cgi-bin/admin/CGI_FILE.CMD":
crypt() unavailable on Win32, cannot validate password"
For your information I am currently running some REX cgi programs (e.g. .CMD
files)
I also understand we cannot have the same password encryption as in a Unix
environment. I read in the Laurie's "Apache, the definitive guide"
book that it should be possible to have a password stored in the file named by
the AuthUserFile directive with the following format:
user_name:non_encrypted_password.
Even if this is not secure, it should be suitable that the server could at
least compare the provided password with the stored password.
I did read some peace of Apache code (unfortunately from release 1.6.3) and I
saw in the module/standard/mod_auth.c file:
/* anyone know where the prototype for crypt is? */
if (strcmp(real_pw, (char *) crypt(sent_pw, real_pw))) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"user %s: password mismatch: %s", c->user, r->uri);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
The fact seems to be that the crypt() function is not available in a windows
environment.
Is there any way to bypass that problem?
Thank you so much for your help,
Regards,
Pascal Oiry
[EMAIL PROTECTED]
>How-To-Repeat:
To reproduce the problem just add authentification directives in the httpd.conf
file
in a windows95 environment and try to reach a password protected document.
>Fix:
To fix it it could be great to have a crypt() function provided either in the
mod_auth.c
file (with plateform dependant flag) or in an additionnal DLL module.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <[EMAIL PROTECTED]> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
