Quoting Noel Butler <noel.but...@ausics.net>:
On Thu, 2012-01-05 at 04:05 +0100, Pascal Volk wrote:
On 01/05/2012 03:36 AM Noel Butler wrote:
>
> Because with multiple servers, we store them all in (replicated)
> mysql :) (the same with postfix/dovecot).
> and as I'm sure you are aware, Apache does not understand standard
> crypted MD5, hence why there is the second option of apache_md5_crypt()
Oh, let me guess: You are using Windows, Netware, TPF as OS for your
web servers? ;-)
man htpasswd | grep -- '-d '
-d Use crypt() encryption for passwords. This is not
supported by the httpd server on Windows and Netware and TPF.
As you may have seen in my previous mail, the password is generated
using crypt(). HTTP Authentication works with that password hash, even
with the httpd from the ASF.
I think you need to do some homework, and although I now have 3.25 days
of holidays remaining, I don't intend to waste them educating anybody
hehe. Assuming you even know what I'm talking about, which I suspect you
don't since you keep using console commands and things like htpasswd,
which does not write to a mysql db, you don't seem to have comprehended
that I do not work with flat files nor local so it is irrelevant, I use
perl scripts for all systems management, so I hope you are not going to
suggest that I should make a system call when I can do it natively in
perl.
But please, by all means, create a mysql db using a system crpyted md5
password, I'll even help ya, openssl passwd -1 foobartilly
$1$e3a.f3uW$SYRQiMlEhC5XlnSxtxiNC/
pop the entry into the db and go for your life trying to authenticate.
and when you've gone through half bottle of bourbon trying to figure out
why its not working, try the apache crypted md5 version $apr1$yKxk.DrQ
$ybcmM8mC1qD5t5FvoY9820
Mysql supports crypt right in it, so you can just submit the password
to the mysql crypt function. We know perl has to support it also.
The first thing I did when I was hired was to convert the password
database from md5 to $6$. After that, I secured the machines that
could and majorly limited what ones of them could get access to the
list. About a month or two after this, we had about a thousand
accounts compromised. So someone obviously got the list in how the old
system was set, as every compromised password contains only lowercase
letters less than 8 long.
I wont say salted anything is bad, but keep the salt lengths up. Start
with 8bytes atleast.
crypts new option to support rounds also makes it a lot of fun, too
bad I haven't seen consistant support for it yet, so I haven't been
able to make use of that option.
