cvs commit: apache-1.3/src/support htpasswd.1
coar00/02/18 08:12:42 Modified:src/support htpasswd.1 Log: Fix some typos and make the portability of the MD5 algorithm a little more clear. Revision ChangesPath 1.13 +17 -5 apache-1.3/src/support/htpasswd.1 Index: htpasswd.1 === RCS file: /home/cvs/apache-1.3/src/support/htpasswd.1,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- htpasswd.11999/08/02 10:13:48 1.12 +++ htpasswd.12000/02/18 16:12:41 1.13 @@ -1,5 +1,5 @@ -.TH htpasswd 1 February 1997 -.\ Copyright (c) 1997-1999 The Apache Group. All rights reserved. +.TH htpasswd 1 February 2000 +.\ Copyright (c) 1997-2000 The Apache Group. All rights reserved. .\ .\ Redistribution and use in source and binary forms, with or without .\ modification, are permitted provided that the following conditions @@ -61,6 +61,12 @@ ] [ .B \-m +| +.B \-d +| +.B \-s +| +.B \-p ] .I passwdfile .I username @@ -72,9 +78,12 @@ ] [ .B \-m +| .B \-d -.B \-p +| .B \-s +| +.B \-p ] .I passwdfile .I username @@ -123,7 +132,10 @@ Create the \fIpasswdfile\fP. If \fIpasswdfile\fP already exists, it is rewritten and truncated. .IP \-m -Use MD5 encryption for passwords. On Windows and TPF, this is the default. +Use Apache's modified MD5 algorithm for passwords. Passwords encrypted +with this algorithm are transportable to any platform (Windows, Unix, +BeOS, et cetera) running Apache 1.3.9 or later. On Windows and TPF, +this flag is the default. .IP \-d Use crypt() encryption for passwords. The default on all platforms but Windows and TPF. Though possibly supported by @@ -137,7 +149,7 @@ .IP \-p Use plaintext passwords. Though .B htpasswd -will support creation on all platofrms, the +will support creation on all platforms, the .B httpd deamon will only accept plain text passwords on Windows and TPF. .IP \fB\fIpasswdfile\fP
cvs commit: apache-1.3/src/support htpasswd.1 htpasswd.c
coar99/04/10 08:08:46
Modified:src CHANGES
src/support htpasswd.1 htpasswd.c
Log:
Fix typos that were limiting passwords on Win32 to 8 characters, and
add some more documentation.
Submitted by: Pointed out by [EMAIL PROTECTED]
Revision ChangesPath
1.1305+4 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1304
retrieving revision 1.1305
diff -u -r1.1304 -r1.1305
--- CHANGES 1999/04/09 13:06:26 1.1304
+++ CHANGES 1999/04/10 15:08:43 1.1305
@@ -1,5 +1,9 @@
Changes with Apache 1.3.7
+ *) Correct an apparent typo: on the Windows and MPE platforms, the
+ htpasswd utility was limiting passwords to only 8 characters.
+ [Ken Coar]
+
*) EBCDIC platforms: David submitted patches for two bugs in the
MD5 digest port for EBCDIC machines:
a) the htdigest utility overwrote the old contents of the digest file
1.10 +53 -2 apache-1.3/src/support/htpasswd.1
Index: htpasswd.1
===
RCS file: /home/cvs/apache-1.3/src/support/htpasswd.1,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- htpasswd.11999/04/08 22:17:51 1.9
+++ htpasswd.11999/04/10 15:08:45 1.10
@@ -96,12 +96,20 @@
DBM database see
\fBdbmmanage\fP.
.PP
+.B htpasswd
+encrypts passwords using either a version of MD5 modified for Apache,
+or the system's \fIcrypt()\fP routine. Files managed by
+.B htpasswd
+may contain both types of passwords; some user records may have
+MD5-encrypted passwords while others in the same file may have passwords
+encrypted with \fIcrypt()\fP.
+.PP
This manual page only lists the command line arguments. For details of
the directives necessary to configure user authentication in
.B httpd
see
the Apache manual, which is part of the Apache distribution or can be
-found at http://www.apache.org/.
+found at URL:http://www.apache.org/.
.SH OPTIONS
.IP \-b
Use batch mode; \fIi.e.\fP, get the password from the command line
@@ -135,6 +143,49 @@
entered interactively and the verification entry didn't match, 4 if
its operation was interrupted, and 5 if a value is too long (username,
filename, password, or final computed record).
+.SH EXAMPLES
+\fBhtpasswd /usr/local/etc/apache/.htpasswd-users jsmith\fP
+.IP
+Adds or modifies the password for user \fIjsmith\fP.
+The user is prompted for the password. If executed
+on a Windows system, the password will be encrypted using the
+modified Apache MD5 algorithm; otherwise, the system's
+\fIcrypt()\fP routine will be used. If the file does not
+exist,
+.B htpasswd
+will do nothing except return an error.
+.LP
+\fBhtpasswd -c /home/doe/public_html/.htpasswd jane\fP
+.IP
+Creates a new file and stores a record in it for user \fIjane\fP.
+The user is prompted for the password.
+If the file exists and cannot be read, or cannot be written,
+it is not altered and
+.B htpasswd
+will display a message and return an error status.
+.LP
+\fBhtpasswd -mb /usr/web/.htpasswd-all jones Pwd4Steve\fP
+.IP
+Encrypts the password from the command line (\fIPwd4Steve\fP) using
+the MD5 algorithm, and stores it in the specified file.
+.LP
+.SH SECURITY CONSIDERATIONS
+Web password files such as those managed by
+.B htpasswd
+should \fBnot\fP be within the Web server's URI space -- that is,
+they should not be fetchable with a browser.
+.PP
+The use of the \fI-b\fP option is discouraged, since when it is
+used the unencrypted password appears on the command line.
+.SH RESTRICTIONS
+On the Windows and MPE platforms, passwords encrypted with
+.B htpasswd
+are limited to no more than 80 characters in length. Longer
+passwords will be truncated to 80 characters.
+.PP
+The MD5 algorithm used by
+.B htpasswd
+is specific to the Apache software; passwords encrypted using it will not be
+usable with other Web servers.
.SH SEE ALSO
.BR httpd(8)
-.
1.28 +4 -4 apache-1.3/src/support/htpasswd.c
Index: htpasswd.c
===
RCS file: /home/cvs/apache-1.3/src/support/htpasswd.c,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- htpasswd.c1999/04/10 03:45:59 1.27
+++ htpasswd.c1999/04/10 15:08:45 1.28
@@ -181,8 +181,8 @@
fputs(prompt, stderr);
gets((char *) password);
-if (strlen((char *) password) 8) {
- password[8] = '\0';
+if (strlen((char *) password) 80) {
+ password[80] = '\0';
}
return (char *) password;
@@ -217,8 +217,8 @@
cvs commit: apache-1.3/src/support htpasswd.1 htpasswd.c
coar99/04/08 15:17:56
Modified:src CHANGES
src/support htpasswd.1 htpasswd.c
Log:
Allow (though discouraged) htpasswd to get the password from
the command line. People who wanted this in the past probably
just modified htpasswd.c to do it; that's a lot more difficult
in the Win32 environment.
Revision ChangesPath
1.1302+5 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1301
retrieving revision 1.1302
diff -u -r1.1301 -r1.1302
--- CHANGES 1999/04/08 21:04:41 1.1301
+++ CHANGES 1999/04/08 22:17:45 1.1302
@@ -1,4 +1,9 @@
Changes with Apache 1.3.7
+ *) support/htpasswd now permits the password to be specified on the
+ command line with the '-b' switch. This is useful when passwords
+ need to be maintained by scripts -- particularly in the Win32
+ environment. [Ken Coar]
+
*) Win32: Win32 multiple services patch. Added capability to install and
run multiple copies of apache as individual services.
1.9 +42 -3 apache-1.3/src/support/htpasswd.1
Index: htpasswd.1
===
RCS file: /home/cvs/apache-1.3/src/support/htpasswd.1,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- htpasswd.11999/01/25 22:55:40 1.8
+++ htpasswd.11999/04/08 22:17:51 1.9
@@ -59,12 +59,33 @@
[
.B \-c
]
+[
+.B \-m
+]
.I passwdfile
.I username
+.br
+.B htpasswd
+.B \-b
+[
+.B \-c
+]
+[
+.B \-m
+]
+.I passwdfile
+.I username
+.I password
.SH DESCRIPTION
.B htpasswd
is used to create and update the flat-files used to store
usernames and password for basic authentication of HTTP users.
+If
+.B htpasswd
+cannot access a file, such as not being able to write to the output
+file or not being able to read the file in order to update it,
+it returns an error status and makes no changes.
+.PP
Resources available from the
.B httpd
Apache web server can be restricted to just the users listed
@@ -82,20 +103,38 @@
the Apache manual, which is part of the Apache distribution or can be
found at http://www.apache.org/.
.SH OPTIONS
+.IP \-b
+Use batch mode; \fIi.e.\fP, get the password from the command line
+rather than prompting for it. \fBThis option should be used with
+extreme care, since the password is clearly visible on the command
+line.\fP
.IP \-c
Create the \fIpasswdfile\fP. If \fIpasswdfile\fP already exists, it
-is deleted first.
+is rewritten and truncated.
.IP \-m
Use MD5 encryption for passwords. On Windows, this is the only format
supported.
.IP \fB\fIpasswdfile\fP
Name of the file to contain the user name and password. If \-c
is given, this file is created if it does not already exist,
-or deleted and recreated if it does exist.
+or rewritten and truncated if it does exist.
.IP \fB\fIusername\fP
The username to create or update in \fBpasswdfile\fP. If
-\fIusername\fP does not exist is this file, an entry is added. If it
+\fIusername\fP does not exist in this file, an entry is added. If it
does exist, the password is changed.
+.IP \fB\fIpassword\fP
+The plaintext password to be encrypted and stored in the file. Only used
+with the \fI-b\fP flag.
+.SH EXIT STATUS
+.B htpasswd
+returns a zero status (true) if the username and password have
+been successfully added or updated in the \fIpasswdfile\fP.
+.B htpasswd
+returns 1 if it encounters some problem accessing files, 2 if there
+was a syntax problem with the command line, 3 if the password was
+entered interactively and the verification entry didn't match, 4 if
+its operation was interrupted, and 5 if a value is too long (username,
+filename, password, or final computed record).
.SH SEE ALSO
.BR httpd(8)
.
1.26 +44 -13apache-1.3/src/support/htpasswd.c
Index: htpasswd.c
===
RCS file: /home/cvs/apache-1.3/src/support/htpasswd.c,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- htpasswd.c1999/04/08 20:56:44 1.25
+++ htpasswd.c1999/04/08 22:17:53 1.26
@@ -230,17 +230,23 @@
* indicates success; failure means that the output buffer contains an
* error message instead.
*/
-static int mkrecord(char *user, char *record, size_t rlen, int alg)
+static int mkrecord(char *user, char *record, size_t rlen, char *passwd,
+ int alg)
{
char *pw;
char cpw[120];
char salt[9];
-pw = strd((char *) getpass(New password: ));
-if (strcmp(pw, (char *) getpass(Re-type
cvs commit: apache-1.3/src/support htpasswd.1 htpasswd.c
coar99/01/25 14:55:41
Modified:.STATUS
src CHANGES
src/ap ap_md5c.c
src/include ap_md5.h
src/modules/standard mod_auth.c mod_auth_db.c mod_auth_dbm.c
src/support htpasswd.1 htpasswd.c
Log:
Enhance the authentication password handling so that stored
passwords can be encrypted with either DES or MD5. htpasswd can
now generate either on systems that allow both, and MD5 on
Win32. .htpasswd files can contain both types; usernames
with passwords encrypted with MD5 and usernames with DES
passwords can appear in the same file. The authentication
modules (mod_auth, mod_auth_db, mod_auth_dbm) autosense the
correct algorithm from the stored password.
This gives us encrypted passwords on Win32 at last. This is
only the first part of the patch; some changes to allow the
Win32 side to build properly are being fixed and should be
committed to-morrow. However, Unix systems can build with
and use these immediately.
Submitted by: Ryan Bloom [EMAIL PROTECTED]
Reviewed by: Ken Coar
Revision ChangesPath
1.607 +1 -5 apache-1.3/STATUS
Index: STATUS
===
RCS file: /home/cvs/apache-1.3/STATUS,v
retrieving revision 1.606
retrieving revision 1.607
diff -u -r1.606 -r1.607
--- STATUS1999/01/20 03:38:18 1.606
+++ STATUS1999/01/25 22:55:31 1.607
@@ -1,5 +1,5 @@
1.3 STATUS:
- Last modified at [$Date: 1999/01/20 03:38:18 $]
+ Last modified at [$Date: 1999/01/25 22:55:31 $]
Release:
@@ -385,10 +385,6 @@
That _really_ sucks. Can we recommend running Apache as some
other user?
-
-* need a crypt() of some sort.
- - sources are easy; problem is export restrictions on DES
- - if we don't do DES, can do md5
* modules that need to be made to work on win32
- mod_example isn't multithreadreded
1.1223+3 -0 apache-1.3/src/CHANGES
Index: CHANGES
===
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1222
retrieving revision 1.1223
diff -u -r1.1222 -r1.1223
--- CHANGES 1999/01/25 18:12:36 1.1222
+++ CHANGES 1999/01/25 22:55:33 1.1223
@@ -1,5 +1,8 @@
Changes with Apache 1.3.5
+ *) Add ability to handle DES or MD5 authentication passwords.
+ [Ryan Bloom [EMAIL PROTECTED]]
+
*) Fix O(n^2) memory consumption in mod_speling. [Dean Gaudet]
*) SECURITY: Avoid some buffer overflow problems when escaping
1.18 +45 -0 apache-1.3/src/ap/ap_md5c.c
Index: ap_md5c.c
===
RCS file: /home/cvs/apache-1.3/src/ap/ap_md5c.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- ap_md5c.c 1999/01/01 19:04:53 1.17
+++ ap_md5c.c 1999/01/25 22:55:36 1.18
@@ -92,6 +92,7 @@
#include ap_config.h
#include ap_md5.h
+#include ap.h
#ifdef CHARSET_EBCDIC
#include ebcdic.h
#endif /*CHARSET_EBCDIC*/
@@ -389,4 +390,48 @@
for (i = 0, j = 0; j len; i++, j += 4)
output[i] = ((UINT4) input[j]) | (((UINT4) input[j + 1]) 8) |
(((UINT4) input[j + 2]) 16) | (((UINT4) input[j + 3]) 24);
+}
+
+API_EXPORT(char *) ap_MD5Encode(const char *password, const char * salt) {
+/* salt has size 2, md5 hash size 22, plus 1 for trailing NUL, plus 4 for
+ '$' separators between md5 distinguisher, salt, and password.*/
+
+static unsigned char ret[2+22+1+4];
+AP_MD5_CTX my_md5;
+unsigned char hash[16], *cp;
+register int i;
+static const char *alphabet =
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./;
+
+/*
+ * Take the MD5 hash of the string argument.
+*/
+
+sprintf(ret, $1$%s$, salt);
+
+/* If the salt is shorter than 2, pad with random characters */
+for (cp = ret[strlen(ret)]; cp ret[2]; ++cp) {
+*cp = alphabet[rand() 0x3F];
+}
+ap_MD5Init(my_md5);
+ap_MD5Update(my_md5, salt, 2);
+ap_MD5Update(my_md5, password, strlen(password));
+ap_MD5Final(hash, my_md5);
+
+/* Take 3*8 bits (3 bytes) and store them as 4 base64 bytes (of 6 bit
each) */
+/* Copy first 15 bytes in loop (producing 20 result bytes) */
+for (i = 0, cp = ret[6]; i 15; i += 3, cp += 4) {
+long l = hash[i] | (hash[i+1] 8) | (hash[i+2] 16);
+
+cp[0] = alphabet[l0x3F];
+cp[1] = alphabet[(l6)0x3F];
+cp[2] = alphabet[(l12)0x3F];
+cp[3] = alphabet[(l18)0x3F];
+}
+cp[0] = alphabet[hash[i]0x3F]; /* Use 16th byte as 21st result byte */
+
cvs commit: apache-1.3/src/support htpasswd.1
rse 98/03/16 08:04:23 Modified:src/support htpasswd.1 Log: And even more cleanups Revision ChangesPath 1.4 +7 -3 apache-1.3/src/support/htpasswd.1 Index: htpasswd.1 === RCS file: /export/home/cvs/apache-1.3/src/support/htpasswd.1,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- htpasswd.11998/01/07 16:47:11 1.3 +++ htpasswd.11998/03/16 16:04:22 1.4 @@ -64,13 +64,17 @@ Resources available from the .B httpd Apache web server can be restricted to just the users listed -in the files created by htpasswd. This program can only be used +in the files created by +.B htpasswd. +This program can only be used when the usernames are stored in a flat-file. To use a DBM database see -\fBdbmmanage\fP and \fBdbmmanage.new\fP. +\fBdbmmanage\fP. .PP This manual page only lists the command line arguments. For details of -the directives necessary to configure user authentication in httpd see +the directives necessary to configure user authentication in +.B httpd +see the Apache manual, which is part of the Apache distribution or can be found at http://www.apache.org/. .SH OPTIONS
