[EMAIL PROTECTED] .htpasswd problems
Hi All I'm not sure that I'm on exactly the correct mailing list here, but I figured it a good place to start, even it is just to get someone to guide me in the right direction. Some years ago I wrote web front-end for managing .htpasswd files. My client has been using this for years. Everything is written in php and I use crypt without a seed to encrypt the passwords. Basically what I do is to allow the user to create entries in the .htadmin file. They can also manage the .htpasswd file by editing and deleting entries. Everything worked very well for about 2 years at which point the passwords wouldn't work anymore. I couldn't figure out what was wrong and the client's ISP would help finding the fault and I couldn't reproduce the problem on my own servers. I then moved everything onto my own servers and everything worked again for several years. Unfortunately I then had to move onto rented web space where everything continued to work for another year or so and now I'm experiencing the same problem again. When the problem originally started I modified the scripts to keep a copy of the .htpasswd file with open passwords and I added a menu item to allow the user to re-submit the password file. The would encrypt all the passwords again and write them to the .htpasswd file and things would work again for a few days. Now however the thing breaks so often that we just can carry on resubmitting again. I have once again moved everything onto my servers and since last night I discovered one thing: If I use htpasswd to create an entry in a .htpasswd file, it will generate a different hash for the password everytime you run it. However, when you log in, it works, even thought the password in the .htpasswd file seemed to have change. My question in the first place then is: How on earth does htpasswd manage to authenticate if the password hash changes every time. My understanding of how authentication work is that the password is saved as a md5 or DES hash and when the user tries to log in he enters his clear password which is then encrypted and compared with the hash in the password file. Surely though the two hashes should be the same. If however a seed is used which is different every time the encrypting is done then we'll get a different password every time and they should be equal. Why then does apache still authenticate the user? My second question is: Did the way htpasswd and apache work change at some stage, or why did my scripts stop working after such a long time? The project is available in sourceforge at http://sourceforge.net/project/showfiles.php?group_id=62350. I would really appreciate any guidance on this problem. Kind Regards Jannetta - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] .htpasswd problems
Using htpasswd to control passwords in the .htpasswd file has always resulted in varying values for the same password. This is a standard encryption technique. It doesn't matter what gets stored as long as the decrypted value matches the password. A simple mechanism could use 256 different encryption methods, with the one used stored in the first byte of the encrypted results. On 20/04/07, Jannetta S Steyn <[EMAIL PROTECTED]> wrote: Hi All I'm not sure that I'm on exactly the correct mailing list here, but I figured it a good place to start, even it is just to get someone to guide me in the right direction. Some years ago I wrote web front-end for managing .htpasswd files. My client has been using this for years. Everything is written in php and I use crypt without a seed to encrypt the passwords. Basically what I do is to allow the user to create entries in the .htadmin file. They can also manage the .htpasswd file by editing and deleting entries. Everything worked very well for about 2 years at which point the passwords wouldn't work anymore. I couldn't figure out what was wrong and the client's ISP would help finding the fault and I couldn't reproduce the problem on my own servers. I then moved everything onto my own servers and everything worked again for several years. Unfortunately I then had to move onto rented web space where everything continued to work for another year or so and now I'm experiencing the same problem again. When the problem originally started I modified the scripts to keep a copy of the .htpasswd file with open passwords and I added a menu item to allow the user to re-submit the password file. The would encrypt all the passwords again and write them to the .htpasswd file and things would work again for a few days. Now however the thing breaks so often that we just can carry on resubmitting again. I have once again moved everything onto my servers and since last night I discovered one thing: If I use htpasswd to create an entry in a .htpasswd file, it will generate a different hash for the password everytime you run it. However, when you log in, it works, even thought the password in the .htpasswd file seemed to have change. My question in the first place then is: How on earth does htpasswd manage to authenticate if the password hash changes every time. My understanding of how authentication work is that the password is saved as a md5 or DES hash and when the user tries to log in he enters his clear password which is then encrypted and compared with the hash in the password file. Surely though the two hashes should be the same. If however a seed is used which is different every time the encrypting is done then we'll get a different password every time and they should be equal. Why then does apache still authenticate the user? My second question is: Did the way htpasswd and apache work change at some stage, or why did my scripts stop working after such a long time? The project is available in sourceforge at http://sourceforge.net/project/showfiles.php?group_id=62350. I would really appreciate any guidance on this problem. Kind Regards Jannetta - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Steve Swift http://www.swiftys.org.uk
Re: [EMAIL PROTECTED] .htpasswd problems
Hi Steve > It doesn't matter what gets stored as long as the > decrypted value matches the password. This part of what you said puzzles me. Why would you want to decrypt the password and isn't the point of md5 and DES that you don't decrypt the password. Usually the passwords are compared in their encrypted form. That's the whole idea of a message digest isn't it to get a unique signature for a message and to make it near impossible to retrieve the message from the signature again. Regards Jannetta - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] .htpasswd problems
Hi, Jannetta S Steyn wrote: >> It doesn't matter what gets stored as long as the >> decrypted value matches the password. > > This part of what you said puzzles me. Why would you want to decrypt the > password and > isn't the point of md5 and DES that you don't decrypt the password. Usually > the > passwords are compared in their encrypted form. That's the whole idea of a > message > digest isn't it to get a unique signature for a message and to make it near > impossible > to retrieve the message from the signature again. You're talking about the differences between hashing and encryption / decryption. MD5 is a hashing algorithm, DES is an encryption / decryption algorithm. See: http://en.wikipedia.org/wiki/Cryptographic_hash_function http://en.wikipedia.org/wiki/Encryption HTH, Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] .htpasswd problems
Hi there You're talking about the differences between hashing and encryption / decryption. MD5 is a hashing algorithm, DES is an encryption / decryption algorithm. See: True I was confusing the issue here. However, when I wrote the scripts originally I think only MD5 was used, and the hashes were compared for authentication. I remember then, looking at the files and even after re-creating the passwords, the hashes didn't change. Now however, even the hashes do seem to change. Example and here I am forcing md5: -bash-3.1$ -bash-3.1$ htpasswd -n -m -b username password username:$apr1$YxgJg...$CBPoLTrXCOLCn13LDTL8w1 -bash-3.1$ htpasswd -n -m -b username password username:$apr1$fjhvN/..$a2OsVleb.E8zoEOyfWfuw. -bash-3.1$ htpasswd -n -m -b username password username:$apr1$ie9n5/..$yOfvwYlhFXBOicCXuk.DK0 The main issue for me still remains, why do my password file stop working after a while? Obviously something regarding the way the passwords are generated and compared changed since I originally wrote the stuff. What changed? I need to know this to accomodate the changes in my code. Thanks for all your input Regards Jannetta - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
