Re: [users@httpd] authn_dbd: what format for encrypted password?

Sat, 18 Aug 2007 09:10:10 -0700 

Phil Endecott wrote:

Dear Experts,
I'm setting up mod_authn_dbd for the first time (having previously used the 3rd-party mod_auth_pgsql with apache2.0) and I'm unsure how the passwords should be encoded in the database. The docs at http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html just say:
"The query must take a single string (typically SQL varchar) argument (username), 
   and return a single value (encrypted password)."
Do I have a choice of encryption formats? How do I tell it which format I have used? (Is there some more documentation somewhere that I have missed?) 

There are four formats that Apache recognizes for passwords.
Note that not all four work on every platform:

1. PLAIN TEXT (i.e. unencrypted) passwords:
 Windows, BEOS, & Netware only.

2. CRYPT passwords:
 Unix only.
 Calls the Unix crypt(3) function with a
 randomly-generated 32-bit salt and the password

3. SHA1 passwords:
 "{SHA}" + Base64-encoded SHA-1 digest of the password

4. MD5 passwords:
 "$apr1$" + the result of an Apache-specific algorithm
 using an iterated (1,000 times) MD5 digest of various
 combinations of a randomly-generated 32-bit salt
 and the password. See source file apr-util/crypto/apr_md5.c
 for the details of the algorithm.

The htpasswd program can be used to generate values:

  MD5
  htpasswd -nbm myName myPassword
  myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

  SHA1
  htpasswd -nbs myName myPassword
  myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=

  CRYPT
  htpasswd -nbd myName myPassword
  myName:rqXexS6ZhobKA

openssl can also be used to generate CRYPT and MD5 values
(openssl knows the Apache-specific algorithm).  For example:

  MD5
  openssl passwd -apr1 myPassword
  $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0

  CRYPT
  openssl passwd -crypt myPassword
  qQ5vTYO3c8dsU
The SHA1 variant is probably the most useful for DBD authentication. Since the SHA1-hash and Base64-encoding functions are commonly available, other software can populate a database with encrypted passwords which are usable by Apache. 

-tom-

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to