Helmut Tessarek wrote:
> On 30.03.2007 05:24, Tom Donovan wrote:
>> One problem with your patch is that it wouldn't distinguish between a
>> 32-character password (plain-text passwords work on Windows) and an md5
>> hash.
>
> This is correct, but plain text passwords are only supported on Windows
> because
> of the lack of the crypt functionality on Windows.
> So it would be unfair not to allow other algorithms for UNIX, but I think I
> have
> another solution to this.
> Another possibility woulde be either:
> 1) only do my check for non Windows platforms
> or (which would be best for both worlds)
> 2) do the check, and if it does not validate, use plaintext on Windows
>
> I have attached the new patch (for 2).
>
> In this case my patch does not change anything, except that it also validates
> 32-char md5 hashes on all systems.
>
>> I think it would be better to use a prefix, like {MD5}. Not perfect,
>> but the {SHA1} prefix has already set a precedent for this in apr. If
>> the database contains only the 32-char hash, you could use an SQL stmt
>> like this:
>>
>> "SELECT '{MD5}' || Password AS Password FROM Users WHERE UserName = ?"
>
> When using a prefix, then you would have to change either the rows in the
> table
> or you would have to use a statement as you have suggested.
> If you change the statement then only 32-char md5 hashes can be used for
> authentication.
> The good thing when using apr_password_validate is that you can use all the
> different hashes in one table.
IMO, these are the wrong approaches, changing APR to support this, that is.
I would highly prefer we just add a 'password format' command to
mod_authnz_dbd. Just like mod_authn_dbi had:
http://mod-auth.sourceforge.net/docs/mod_authn_dbi/#authndbipasswordformat
-Paul
