Re: Missing Features of htdigest.c
Dirk-Willem van Gulik wrote: > On Mon, 25 Jul 2005, Eli Marmor wrote: > > >>3. A C program may be integrated into the source tree of Apache (or > > > And while gradually disappearing -I still see a lot systems in the field > which do not have perl installed or managed (as well) with apache. I guess those folks have a difficult time using apxs :) > > So it really ought to be C - or we need to continue to keep those. ok, well it seems like using the same dbm libraries is important, so I guess perl isn't an option. less work for me, then :) --Geoff
Re: Missing Features of htdigest.c
On Mon, 25 Jul 2005, Eli Marmor wrote: > 3. A C program may be integrated into the source tree of Apache (or And while gradually disappearing -I still see a lot systems in the field which do not have perl installed or managed (as well) with apache. So it really ought to be C - or we need to continue to keep those. Dw.
Re: Missing Features of htdigest.c
Geoffrey Young wrote: > ... > so, to that end, to the rest of the developers here's my offer: > > I'll write an htpasswd replacement that will > > - allow for management of users using Basic or Digest algorithms > - allow for varying data stores > - allow for varying user algorithms (mixing of Basic and Digest in the > same store, for example) > - support (as best I can) existing options from existing support files > - whatever else it ought to do > > it will, of course, be in perl - if people are really just shell'ing out to > a binary from a CGI then there's no real reason it _needs_ to be in C. at > least that I can see :) Such a project would be great, and we will owe you a lot if this dream becomes a reality! There are some issues, however, that we must look at them before: 1. It is not going to finish fast, so maybe I should go on with my idea to add DIGEST to htdbm, as a temporary solution till your script works. 2. Are you sure that all the apr_functions which deal with auth and its storage and databases work with Perl too? Note that ASF migrated from a Perl based script (dbmmanage) to C based program (htdbm), probably due to limitations of Perl or apr_functions without a Perl API. 3. A C program may be integrated into the source tree of Apache (or APR/APR-UTIL) in the future, as a module or API for managing users, which is impossible with Perl. Thanks! -- Eli Marmor [EMAIL PROTECTED] Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-5237338 Kfar-Saba 44641, Israel
Re: Missing Features of htdigest.c
On Mon, Jul 25, 2005 at 08:24:39AM -0400, Geoffrey Young wrote: > I'll write an htpasswd replacement that will > > - allow for management of users using Basic or Digest algorithms > - allow for varying data stores > - allow for varying user algorithms (mixing of Basic and Digest in the > same store, for example) > - support (as best I can) existing options from existing support files > - whatever else it ought to do > > it will, of course, be in perl - if people are really just shell'ing out to > a binary from a CGI then there's no real reason it _needs_ to be in C. at > least that I can see :) The reason the tool should continue to be in C if it's doing database manipulation is to ensure that it uses exactly the same database libraries that httpd does. Doing it in Perl can't ensure that (hence htdbm to replace dbmmanage). Regards, joe
Re: Missing Features of htdigest.c
> Well, maybe I explained it bad, so I'll try again:
ok :)
>
> In 2.1, the AAA was totally restructured, to separate the algorithm
> (BASIC or DIGEST or whatever) from the storage (FILE or DBM or a
> database), and to open the full matrix of options to users.
>
> However, even if it was done in the server (which I didn't check),
it was.
> there
> is no way to use it,
please don't spread FUD like that. of course you can use it, and I'm sure
many people have and will continue to do so.
> because the supporting programs have never fixed or
> changed to support it: Nothing was added to dbmmanage or to htdbm or to
> htpasswd to support different algorithms, or at least DIGEST. Moreover,
> the only program which still supports DIGEST - htdigest - does almost
> nothing - no DBM, no database support, and even the minimal features -
> such as non-interactive mode ("-b") so other programs or CGIs can call
> it - are not supported.
ok, I wasn't aware that the majority of people were using these tools
interactively to manage users like that. at least not on a large scale. at
least not those that really, really wanted to move to digest :)
but ok, if that's true then sure - we ought to support digest from these
tools... or come up with a better way.
so, to that end, to the rest of the developers here's my offer:
I'll write an htpasswd replacement that will
- allow for management of users using Basic or Digest algorithms
- allow for varying data stores
- allow for varying user algorithms (mixing of Basic and Digest in the
same store, for example)
- support (as best I can) existing options from existing support files
- whatever else it ought to do
it will, of course, be in perl - if people are really just shell'ing out to
a binary from a CGI then there's no real reason it _needs_ to be in C. at
least that I can see :)
anyway, that's the offer. if others like it and can see integrating it then
I'll do it. if not, I won't, and no harm done.
--Geoff
Re: Missing Features of htdigest.c
Responding to myself, I want to go on: May we add "[-D realm]" to the command options of htdbm? I believe it will not take more than 20 lines, is anybody expect any problem with it? Has anybody done a similar thing in htdbm in the past? And last thing before we add it: Is the new structure of AAA ready to support it in the server? I don't want to waste time in the side of the supporting programs, just to find out that the server lags behind and is not ready to support what it supposed to do when it was restructured... Thanks, -- Eli Marmor [EMAIL PROTECTED] Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-5237338 Kfar-Saba 44641, Israel
Re: Missing Features of htdigest.c
Geoffrey Young wrote:
> only? you can certainly add a new user via
>
> use Digest::MD5;
>
> my $user = 'user';
> my $realm = 'realm';
> my $pass = 'pass';
>
> print "$user:$realm:", Digest::MD5::md5_hex("$user:$realm:$pass"), "\n";
>
> once you know the algorithm, parsing the file and changing passwords with
> perl is just as simple :)
Well, maybe I explained it bad, so I'll try again:
In 2.1, the AAA was totally restructured, to separate the algorithm
(BASIC or DIGEST or whatever) from the storage (FILE or DBM or a
database), and to open the full matrix of options to users.
However, even if it was done in the server (which I didn't check), there
is no way to use it, because the supporting programs have never fixed or
changed to support it: Nothing was added to dbmmanage or to htdbm or to
htpasswd to support different algorithms, or at least DIGEST. Moreover,
the only program which still supports DIGEST - htdigest - does almost
nothing - no DBM, no database support, and even the minimal features -
such as non-interactive mode ("-b") so other programs or CGIs can call
it - are not supported.
Has anybody here ever user DIGEST not in a FILE but in DBM or a
database?
How did he do it?
Is there any code sample?
Why don't we just fix dbmmanage and htdbm?
And of course, finally finishing htdigest? Or add DIGEST as an option
to htpasswd? (which is better?)
If I do any of the above things, will it be committed? (assuming it's
written according to the guidelines)
Does anybody have existing code or patches to save me time?
Will there be anybody else to help me?
I know that there are tricks to do everything in Perl, but if this is
the way to go - then remove htpasswd/htdigest from the distribution and
ask people to write Perl scripts instead... ;-)
(I'm not serious, I'm just trying to illustrate why solutions like the
responder suggested are not practical; if the supporting programs lack
minimal and basic features, we must fix them. If htdigest is useless,
either remove it or fix it. And if there is no way to use DIGEST but
only BASIC, then return to the old structure of AAA, because there is
no need to separate the algorithm - there is only BASIC).
Thanks,
--
Eli Marmor
[EMAIL PROTECTED]
Netmask (El-Mar) Internet Technologies Ltd.
__
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-5237338 Kfar-Saba 44641, Israel
Re: Missing Features of htdigest.c
> As I wrote in my previous message, for example, the only way to add a
> user or change a password from a program and non-interactively, is by
> hacking with TIOCNOTTY and then piping the password twice into
> htpasswd.
only? you can certainly add a new user via
use Digest::MD5;
my $user = 'user';
my $realm = 'realm';
my $pass = 'pass';
print "$user:$realm:", Digest::MD5::md5_hex("$user:$realm:$pass"), "\n";
once you know the algorithm, parsing the file and changing passwords with
perl is just as simple :)
--Geoff
Re: Missing Features of htdigest.c
Nick Kew wrote: > ... > in 2.1 and up brings it in line with basic authentication in terms > of flexibility and options. > > ... > > Just upgrade to 2.1/2.2 and it's there. It seems that I missed the option to use various providers (different than file) with DIGEST, and it's silly of me, but the main question remains: There is a lot of functionality and many flags in htpasswd.c. htdigest.c still doesn't have any of these, even in the TRUNK. htdigest.c hasn't changed, almost at all, since it was first introduced. Its only flag is still "-c" (i.e. create the password file), and there is no optional parameter or flag. As I wrote in my previous message, for example, the only way to add a user or change a password from a program and non-interactively, is by hacking with TIOCNOTTY and then piping the password twice into htpasswd. How can I use htdigest without the current limitations? Thanks, -- Eli Marmor [EMAIL PROTECTED] Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-5237338 Kfar-Saba 44641, Israel
Re: Missing Features of htdigest.c
On Sun, 24 Jul 2005, Eli Marmor wrote: > originally, htdigest was planned as the DIGEST equivalent of htpasswd. > > However, only a minimal version was released, and since then - it > remained as a mid-version and has never finished. Ryan Bloom wrote: The same is true of httpd itself up to version 2.0. The refactoring in 2.1 and up brings it in line with basic authentication in terms of flexibility and options. > When Digest authentication is more prevalent, this program will > likely be extended with more options, mirroring the options to > the other password-file generators. > (Apache Server 2.0, pp. 221) > > I believe there is a concensus that it's time to finish htdigest. I hadn't noticed much discussion of the subject, until you posted. > So before finalizing htdigest, I want to ask several questions: > > 1. Is there already a patched version of htdigest, somewhere, that >supports more features than the official one? Did any of you Not that I'm aware of - but then I haven't looked. What does google say? > 2. Is improving htdigest the way to go? Or is it better to add DIGEST >authentication as a new flag for htpasswd, so htpasswd will join >both types of authentication and the DIGEST authentication will >enjoy the existing flags of htpasswd (like "-b"). And if extending OTTOMH that sounds like a good plan. > 3. What about the other BASIC authentications, which don't have a >DIGEST equivalent so far? Like auth_dbm, etc. Just upgrade to 2.1/2.2 and it's there. -- Nick Kew
Missing Features of htdigest.c
originally, htdigest was planned as the DIGEST equivalent of htpasswd. However, only a minimal version was released, and since then - it remained as a mid-version and has never finished. Ryan Bloom wrote: When Digest authentication is more prevalent, this program will likely be extended with more options, mirroring the options to the other password-file generators. (Apache Server 2.0, pp. 221) I believe there is a concensus that it's time to finish htdigest. For example, everybody who tried to call htdigest from a CGI or another program, to change a password non-interactively, faced the limitations of htdigest (by the way: if you want to popen() it and stream the password into it twice, don't be surprised it it will not work: under most platforms it accesses /dev/tty rather than the standard-input, so you will have to ioctl() the standard input to TIOCNOTTY before popening htdigest...). In htpasswd, this is done by the flag "-b". And this flag is only an example for the limitations of htdigest. So before finalizing htdigest, I want to ask several questions: 1. Is there already a patched version of htdigest, somewhere, that supports more features than the official one? Did any of you improve htdigest or know anything about such a project? Before investing time, it will be helpful to know if there is somewhere to start from. 2. Is improving htdigest the way to go? Or is it better to add DIGEST authentication as a new flag for htpasswd, so htpasswd will join both types of authentication and the DIGEST authentication will enjoy the existing flags of htpasswd (like "-b"). And if extending htpasswd is the way, then what should be done with "realm"? After all, currently it is a "must" in htdigest files, while it doesn't exist in htpasswd files. A possible option is to make it a flag, but then what should be done if it is used in BASIC auth or if it's omitted in DIGEST? Another option is to put the realm immediately after the flag that tells htpasswd to use DIGEST, i.e: htpasswd [-D realm] etc. 3. What about the other BASIC authentications, which don't have a DIGEST equivalent so far? Like auth_dbm, etc. Thanks, -- Eli Marmor [EMAIL PROTECTED] Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-5237338 Kfar-Saba 44641, Israel
