cvs commit: apache-1.3/src/support htpasswd.1 htpasswd.c
coar99/06/03 08:42:39 Modified:src CHANGES src/support htpasswd.1 htpasswd.c Log: Document the length restrictions on the username and password for src/support/htpasswd. Also gritch about illegal characters in the username (':' is the field separator). Revision ChangesPath 1.1367+5 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1366 retrieving revision 1.1367 diff -u -r1.1366 -r1.1367 --- CHANGES 1999/06/02 20:11:16 1.1366 +++ CHANGES 1999/06/03 15:42:33 1.1367 @@ -1,5 +1,10 @@ Changes with Apache 1.3.7 + *) When the username or password fed to htpasswd is too long, include the + size limit in the error message. Also report illegal characters + (currently only ':') in the username. Add the size restrictions + to the man page. [Ken Coar] + *) Fixed the configure --without-support option so it doesn't result in an infinite loop. [Marc Slemko] 1.11 +7 -4 apache-1.3/src/support/htpasswd.1 Index: htpasswd.1 === RCS file: /home/cvs/apache-1.3/src/support/htpasswd.1,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- htpasswd.11999/04/10 15:08:45 1.10 +++ htpasswd.11999/06/03 15:42:38 1.11 @@ -141,8 +141,9 @@ returns 1 if it encounters some problem accessing files, 2 if there was a syntax problem with the command line, 3 if the password was entered interactively and the verification entry didn't match, 4 if -its operation was interrupted, and 5 if a value is too long (username, -filename, password, or final computed record). +its operation was interrupted, 5 if a value is too long (username, +filename, password, or final computed record), and 6 if the username +contains illegal characters (see the \fBRESTRICTIONS\fP section). .SH EXAMPLES \fBhtpasswd /usr/local/etc/apache/.htpasswd-users jsmith\fP .IP @@ -180,12 +181,14 @@ .SH RESTRICTIONS On the Windows and MPE platforms, passwords encrypted with .B htpasswd -are limited to no more than 80 characters in length. Longer -passwords will be truncated to 80 characters. +are limited to no more than 255 characters in length. Longer +passwords will be truncated to 255 characters. .PP The MD5 algorithm used by .B htpasswd is specific to the Apache software; passwords encrypted using it will not be usable with other Web servers. +.PP +Usernames are limited to 255 bytes and may not include the character ':'. .SH SEE ALSO .BR httpd(8) 1.31 +15 -62apache-1.3/src/support/htpasswd.c Index: htpasswd.c === RCS file: /home/cvs/apache-1.3/src/support/htpasswd.c,v retrieving revision 1.30 retrieving revision 1.31 diff -u -r1.30 -r1.31 --- htpasswd.c1999/05/31 19:44:30 1.30 +++ htpasswd.c1999/06/03 15:42:38 1.31 @@ -75,6 +75,7 @@ * 4: Failure; operation interrupted (such as with CTRL/C) * 5: Failure; buffer would overflow (username, filename, or computed * record too long) + * 6: Failure; username contains illegal or reserved characters */ #include "ap_config.h" @@ -107,6 +108,7 @@ #define ERR_PWMISMATCH 3 #define ERR_INTERRUPTED 4 #define ERR_OVERFLOW 5 +#define ERR_BADUSER 6 /* * This needs to be declared statically so the signal handler can @@ -160,64 +162,7 @@ } } -#ifdef MPE /* - * MPE lacks getpass() and a way to suppress stdin echo. So for now, just - * issue the prompt and read the results with echo. (Ugh). - */ - -static char *getpass(const char *prompt) -{ -static char password[81]; - -fputs(prompt, stderr); -gets((char *) &password); - -if (strlen((char *) &password) > 80) { - password[80] = '\0'; -} - -return (char *) &password; -} - -#endif - -#ifdef WIN32 -/* - * Windows lacks getpass(). So we'll re-implement it here. - */ - -static char *getpass(const char *prompt) -{ -static char password[81]; -int n = 0; - -fputs(prompt, stderr); - -while ((password[n] = _getch()) != '\r') { -if (password[n] >= ' ' && password[n] <= '~') { -n++; -printf("*"); -} - else { -printf("\n"); -fputs(prompt, stderr); -n = 0; -} -} - -password[n] = '\0'; -printf("\n"); - -if (n > 80) { -password[80] = '\0'; -} - -return (char *) &password; -} -#endif - -/* * Make a password record from the g
cvs commit: apache-1.3/src/support htpasswd.1 htpasswd.c
coar99/04/10 08:08:46 Modified:src CHANGES src/support htpasswd.1 htpasswd.c Log: Fix typos that were limiting passwords on Win32 to 8 characters, and add some more documentation. Submitted by: Pointed out by <[EMAIL PROTECTED]> Revision ChangesPath 1.1305+4 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1304 retrieving revision 1.1305 diff -u -r1.1304 -r1.1305 --- CHANGES 1999/04/09 13:06:26 1.1304 +++ CHANGES 1999/04/10 15:08:43 1.1305 @@ -1,5 +1,9 @@ Changes with Apache 1.3.7 + *) Correct an apparent typo: on the Windows and MPE platforms, the + htpasswd utility was limiting passwords to only 8 characters. + [Ken Coar] + *) EBCDIC platforms: David submitted patches for two bugs in the MD5 digest port for EBCDIC machines: a) the htdigest utility overwrote the old contents of the digest file 1.10 +53 -2 apache-1.3/src/support/htpasswd.1 Index: htpasswd.1 === RCS file: /home/cvs/apache-1.3/src/support/htpasswd.1,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- htpasswd.11999/04/08 22:17:51 1.9 +++ htpasswd.11999/04/10 15:08:45 1.10 @@ -96,12 +96,20 @@ DBM database see \fBdbmmanage\fP. .PP +.B htpasswd +encrypts passwords using either a version of MD5 modified for Apache, +or the system's \fIcrypt()\fP routine. Files managed by +.B htpasswd +may contain both types of passwords; some user records may have +MD5-encrypted passwords while others in the same file may have passwords +encrypted with \fIcrypt()\fP. +.PP This manual page only lists the command line arguments. For details of the directives necessary to configure user authentication in .B httpd see the Apache manual, which is part of the Apache distribution or can be -found at http://www.apache.org/. +found at http://www.apache.org/>. .SH OPTIONS .IP \-b Use batch mode; \fIi.e.\fP, get the password from the command line @@ -135,6 +143,49 @@ entered interactively and the verification entry didn't match, 4 if its operation was interrupted, and 5 if a value is too long (username, filename, password, or final computed record). +.SH EXAMPLES +\fBhtpasswd /usr/local/etc/apache/.htpasswd-users jsmith\fP +.IP +Adds or modifies the password for user \fIjsmith\fP. +The user is prompted for the password. If executed +on a Windows system, the password will be encrypted using the +modified Apache MD5 algorithm; otherwise, the system's +\fIcrypt()\fP routine will be used. If the file does not +exist, +.B htpasswd +will do nothing except return an error. +.LP +\fBhtpasswd -c /home/doe/public_html/.htpasswd jane\fP +.IP +Creates a new file and stores a record in it for user \fIjane\fP. +The user is prompted for the password. +If the file exists and cannot be read, or cannot be written, +it is not altered and +.B htpasswd +will display a message and return an error status. +.LP +\fBhtpasswd -mb /usr/web/.htpasswd-all jones Pwd4Steve\fP +.IP +Encrypts the password from the command line (\fIPwd4Steve\fP) using +the MD5 algorithm, and stores it in the specified file. +.LP +.SH SECURITY CONSIDERATIONS +Web password files such as those managed by +.B htpasswd +should \fBnot\fP be within the Web server's URI space -- that is, +they should not be fetchable with a browser. +.PP +The use of the \fI-b\fP option is discouraged, since when it is +used the unencrypted password appears on the command line. +.SH RESTRICTIONS +On the Windows and MPE platforms, passwords encrypted with +.B htpasswd +are limited to no more than 80 characters in length. Longer +passwords will be truncated to 80 characters. +.PP +The MD5 algorithm used by +.B htpasswd +is specific to the Apache software; passwords encrypted using it will not be +usable with other Web servers. .SH SEE ALSO .BR httpd(8) -. 1.28 +4 -4 apache-1.3/src/support/htpasswd.c Index: htpasswd.c === RCS file: /home/cvs/apache-1.3/src/support/htpasswd.c,v retrieving revision 1.27 retrieving revision 1.28 diff -u -r1.27 -r1.28 --- htpasswd.c1999/04/10 03:45:59 1.27 +++ htpasswd.c1999/04/10 15:08:45 1.28 @@ -181,8 +181,8 @@ fputs(prompt, stderr); gets((char *) &password); -if (strlen((char *) &password) > 8) { - password[8] = '\0'; +if (strlen((char *) &password) > 80) { + password[80] = '\0'; } return (char *) &password; @@ -217,8 +217,8 @@
cvs commit: apache-1.3/src/support htpasswd.1 htpasswd.c
coar99/04/08 15:17:56 Modified:src CHANGES src/support htpasswd.1 htpasswd.c Log: Allow (though discouraged) htpasswd to get the password from the command line. People who wanted this in the past probably just modified htpasswd.c to do it; that's a lot more difficult in the Win32 environment. Revision ChangesPath 1.1302+5 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1301 retrieving revision 1.1302 diff -u -r1.1301 -r1.1302 --- CHANGES 1999/04/08 21:04:41 1.1301 +++ CHANGES 1999/04/08 22:17:45 1.1302 @@ -1,4 +1,9 @@ Changes with Apache 1.3.7 + *) support/htpasswd now permits the password to be specified on the + command line with the '-b' switch. This is useful when passwords + need to be maintained by scripts -- particularly in the Win32 + environment. [Ken Coar] + *) Win32: Win32 multiple services patch. Added capability to install and run multiple copies of apache as individual services. 1.9 +42 -3 apache-1.3/src/support/htpasswd.1 Index: htpasswd.1 === RCS file: /home/cvs/apache-1.3/src/support/htpasswd.1,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- htpasswd.11999/01/25 22:55:40 1.8 +++ htpasswd.11999/04/08 22:17:51 1.9 @@ -59,12 +59,33 @@ [ .B \-c ] +[ +.B \-m +] .I passwdfile .I username +.br +.B htpasswd +.B \-b +[ +.B \-c +] +[ +.B \-m +] +.I passwdfile +.I username +.I password .SH DESCRIPTION .B htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users. +If +.B htpasswd +cannot access a file, such as not being able to write to the output +file or not being able to read the file in order to update it, +it returns an error status and makes no changes. +.PP Resources available from the .B httpd Apache web server can be restricted to just the users listed @@ -82,20 +103,38 @@ the Apache manual, which is part of the Apache distribution or can be found at http://www.apache.org/. .SH OPTIONS +.IP \-b +Use batch mode; \fIi.e.\fP, get the password from the command line +rather than prompting for it. \fBThis option should be used with +extreme care, since the password is clearly visible on the command +line.\fP .IP \-c Create the \fIpasswdfile\fP. If \fIpasswdfile\fP already exists, it -is deleted first. +is rewritten and truncated. .IP \-m Use MD5 encryption for passwords. On Windows, this is the only format supported. .IP \fB\fIpasswdfile\fP Name of the file to contain the user name and password. If \-c is given, this file is created if it does not already exist, -or deleted and recreated if it does exist. +or rewritten and truncated if it does exist. .IP \fB\fIusername\fP The username to create or update in \fBpasswdfile\fP. If -\fIusername\fP does not exist is this file, an entry is added. If it +\fIusername\fP does not exist in this file, an entry is added. If it does exist, the password is changed. +.IP \fB\fIpassword\fP +The plaintext password to be encrypted and stored in the file. Only used +with the \fI-b\fP flag. +.SH EXIT STATUS +.B htpasswd +returns a zero status ("true") if the username and password have +been successfully added or updated in the \fIpasswdfile\fP. +.B htpasswd +returns 1 if it encounters some problem accessing files, 2 if there +was a syntax problem with the command line, 3 if the password was +entered interactively and the verification entry didn't match, 4 if +its operation was interrupted, and 5 if a value is too long (username, +filename, password, or final computed record). .SH SEE ALSO .BR httpd(8) . 1.26 +44 -13apache-1.3/src/support/htpasswd.c Index: htpasswd.c === RCS file: /home/cvs/apache-1.3/src/support/htpasswd.c,v retrieving revision 1.25 retrieving revision 1.26 diff -u -r1.25 -r1.26 --- htpasswd.c1999/04/08 20:56:44 1.25 +++ htpasswd.c1999/04/08 22:17:53 1.26 @@ -230,17 +230,23 @@ * indicates success; failure means that the output buffer contains an * error message instead. */ -static int mkrecord(char *user, char *record, size_t rlen, int alg) +static int mkrecord(char *user, char *record, size_t rlen, char *passwd, + int alg) { char *pw; char cpw[120]; char salt[9]; -pw = strd((char *) getpass("New password: ")); -if (strcmp(pw, (char *) getpass("Re-
cvs commit: apache-1.3/src/support htpasswd.1 htpasswd.c
coar99/01/25 14:55:41 Modified:.STATUS src CHANGES src/ap ap_md5c.c src/include ap_md5.h src/modules/standard mod_auth.c mod_auth_db.c mod_auth_dbm.c src/support htpasswd.1 htpasswd.c Log: Enhance the authentication password handling so that stored passwords can be encrypted with either DES or MD5. htpasswd can now generate either on systems that allow both, and MD5 on Win32. .htpasswd files can contain both types; usernames with passwords encrypted with MD5 and usernames with DES passwords can appear in the same file. The authentication modules (mod_auth, mod_auth_db, mod_auth_dbm) autosense the correct algorithm from the stored password. This gives us encrypted passwords on Win32 at last. This is only the first part of the patch; some changes to allow the Win32 side to build properly are being fixed and should be committed to-morrow. However, Unix systems can build with and use these immediately. Submitted by: Ryan Bloom <[EMAIL PROTECTED]> Reviewed by: Ken Coar Revision ChangesPath 1.607 +1 -5 apache-1.3/STATUS Index: STATUS === RCS file: /home/cvs/apache-1.3/STATUS,v retrieving revision 1.606 retrieving revision 1.607 diff -u -r1.606 -r1.607 --- STATUS1999/01/20 03:38:18 1.606 +++ STATUS1999/01/25 22:55:31 1.607 @@ -1,5 +1,5 @@ 1.3 STATUS: - Last modified at [$Date: 1999/01/20 03:38:18 $] + Last modified at [$Date: 1999/01/25 22:55:31 $] Release: @@ -385,10 +385,6 @@ That _really_ sucks. Can we recommend running Apache as some other user? - -* need a crypt() of some sort. - - sources are easy; problem is export restrictions on DES - - if we don't do DES, can do md5 * modules that need to be made to work on win32 - mod_example isn't multithreadreded 1.1223+3 -0 apache-1.3/src/CHANGES Index: CHANGES === RCS file: /home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1222 retrieving revision 1.1223 diff -u -r1.1222 -r1.1223 --- CHANGES 1999/01/25 18:12:36 1.1222 +++ CHANGES 1999/01/25 22:55:33 1.1223 @@ -1,5 +1,8 @@ Changes with Apache 1.3.5 + *) Add ability to handle DES or MD5 authentication passwords. + [Ryan Bloom <[EMAIL PROTECTED]>] + *) Fix O(n^2) memory consumption in mod_speling. [Dean Gaudet] *) SECURITY: Avoid some buffer overflow problems when escaping 1.18 +45 -0 apache-1.3/src/ap/ap_md5c.c Index: ap_md5c.c === RCS file: /home/cvs/apache-1.3/src/ap/ap_md5c.c,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- ap_md5c.c 1999/01/01 19:04:53 1.17 +++ ap_md5c.c 1999/01/25 22:55:36 1.18 @@ -92,6 +92,7 @@ #include "ap_config.h" #include "ap_md5.h" +#include "ap.h" #ifdef CHARSET_EBCDIC #include "ebcdic.h" #endif /*CHARSET_EBCDIC*/ @@ -389,4 +390,48 @@ for (i = 0, j = 0; j < len; i++, j += 4) output[i] = ((UINT4) input[j]) | (((UINT4) input[j + 1]) << 8) | (((UINT4) input[j + 2]) << 16) | (((UINT4) input[j + 3]) << 24); +} + +API_EXPORT(char *) ap_MD5Encode(const char *password, const char * salt) { +/* salt has size 2, md5 hash size 22, plus 1 for trailing NUL, plus 4 for + '$' separators between md5 distinguisher, salt, and password.*/ + +static unsigned char ret[2+22+1+4]; +AP_MD5_CTX my_md5; +unsigned char hash[16], *cp; +register int i; +static const char *alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789./"; + +/* + * Take the MD5 hash of the string argument. +*/ + +sprintf(ret, "$1$%s$", salt); + +/* If the salt is shorter than 2, pad with random characters */ +for (cp = &ret[strlen(ret)]; cp < &ret[2]; ++cp) { +*cp = alphabet[rand() & 0x3F]; +} +ap_MD5Init(&my_md5); +ap_MD5Update(&my_md5, salt, 2); +ap_MD5Update(&my_md5, password, strlen(password)); +ap_MD5Final(hash, &my_md5); + +/* Take 3*8 bits (3 bytes) and store them as 4 base64 bytes (of 6 bit each) */ +/* Copy first 15 bytes in loop (producing 20 result bytes) */ +for (i = 0, cp = &ret[6]; i < 15; i += 3, cp += 4) { +long l = hash[i] | (hash[i+1] << 8) | (hash[i+2] << 16); + +cp[0] = alphabet[l&0x3F]; +cp[1] = alphabet[(l>>6)&0x3F]; +cp[2] = alphabet[(l>>12)&0x3F]; +cp[3] = alphabet[(l>>18)&0x3F]; +} +cp[0] = alphabet[hash[i]&0x3