https://issues.apache.org/bugzilla/show_bug.cgi?id=44578
Summary: mod_authn_dbd option to let database validate password
Product: Apache httpd-2
Version: 2.2-HEAD
Platform: All
OS/Version: All
Status: NEW
Keywords: PatchAvailable
Severity: enhancement
Priority: P2
Component: Other Modules
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
Created an attachment (id=21651)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=21651)
httpd trunk (r628393) patch - also applies to 2.2.8 cleanly
It is a frequent problem that mod_authn_dbd cannot be used with existing SQL
databases because passwords are not stored in one of the Apache formats:
{$apr1$}, {SHA}, crypt (Unix), or plaintext (Windows/Netware).
This proposal is for an optional 2nd 'VALIDATE' argument to the
AuthDBDUserPWQuery directive which lets the database determine whether the
password is valid without relying on the APR password hashing functions.
The VALIDATE argument indicates that the plaintext password is passed as the
first query parameter and the username is passed as the second parameter.
When the first column of the first returned row is a non-zero number or "T" or
"TRUE" (case insensitive), the password is accepted - otherwise the password is
rejected.
Note that when no rows are returned, mod_authn_dbd already reports
AUTH_USER_NOT_FOUND.
A common example is when passwords are stored using the database provider's MD5
function which is incompatible with Apache encrypted password formats:
MySQL or PostgreSQL:
AuthDBDUserPWQuery \
"SELECT (password = MD5(%s)) FROM users WHERE username = %s" \
VALIDATE
SQLServer:
AuthDBDUserPWQuery \
"SELECT CASE password WHEN HashBytes('MD5', %s) THEN 1 ELSE 0 END \
FROM users WHERE username = %s" \
VALIDATE
Oracle 10g:
AuthDBDUserPWQuery \
"SELECT CASE WHEN DBMS_CRYPTO.HASH(RAWTOHEX(%s),2) = password THEN 1 ELSE 0
END \
FROM users WHERE username = %s" \
VALIDATE
The password is passed as the 1st parameter and the username as the 2nd
parameter because this order makes constructing the SQL statement considerably
easier, since the username is almost always used in a SQL predicate clause.
All SQL databases which support boolean values cast them to strings as "0" or
"1"; "t" or "f"; or "TRUE" or "FALSE".
This option is not useful for digest authentication because Apache does not
have the plaintext password when digest authentication is used.
It may be good to note in the documentation that the security of the database
connection and database SQL logging should be considered when a plaintext
password is passed to the database using the VALIDATE option.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
