On Tue, Apr 30, 2013 at 12:33 PM, Ben Johnson <b...@indietorrent.org> wrote:
> > > On 4/30/2013 11:55 AM, Bo Berglund wrote: > > On Tue, 30 Apr 2013 11:36:47 -0400, Ben Johnson <b...@indietorrent.org> > > wrote: > > > >>> Well, > >>> I cannot easily change the authentication method at all because the > >>> "real" website uses CRYPT passwords and we also have a lot of software > >>> in-house that updates these .htpasswd files with new user logins when > >>> new customers are granted access to the protected parts of the site. > >> > >> Ah, I see. Yes, then the only short-term solution seems to be to resolve > >> the issue with .htpasswd files on Windows. > > > > What I can do is to replace the .htpasswd file with for example > > passwords in the .htaccess file and then put a few known test users > > into that using the htpasswd command, which generates md5 hashes. > > Then I can use the test site on my PC and the only thing I must not do > > is commit the changed .htaccess file to CVS.... > > Sounds good to me. > > >> Nonetheless, you might suggest migrating the "live" server to some form > >> of database authentication in the future. It would be much simpler for > >> your in-house software to maintain and update a single database table, > >> rather than potentially hundreds of .htpassword and .htaccess files. > > > > I guess so, but then I first have to get comfortable using databases > > on the website... > > Understood. > > >>> I have no idea how I could generate MD5 passwords in my software so I > >>> am stuck with CRYPT (which I can create). > >>> Note that if this is changed I need to do the same on all of the > >>> protected folders on the real site... > >> > >> Generating MD5 passwords should be trivial in any environment. If you > >> have a specific scripting language or similar, I'd be happy to provide > >> examples. However, based on what you say above, changing from CRYPT to > >> MD5 sounds like as much or more work as getting CRYPT to work on > Windows. > > > > I could probably call the Apache htpasswd program from within my own > > program and supply it with parameter -c to create a new file and then > > I read that back. Like this: > > htpasswd.exe -cb passwordfile username password > > > >> > >> I wouldn't go that far. There has to be a way to make CRYPT work on > >> Windows. I'll do some more research (and attempt to get this working on > >> my own machine) and provide an update. > >> > > > > The problem is getting Apache on Win7 to recognize CRYPT:ed passwords. > > Creating them is no big deal, I already have software components for > > that. But getting Apache to read them is.... > > Ah, right. Well, it seems that I stand corrected: it does *not* seem to > be possible to make Apache read crypted passwords on Windows: > > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic > > CRYPT > Unix only. Uses the traditional Unix crypt(3) function with a > randomly-generated 32-bit salt (only 12 bits used) and the first 8 > characters of the password. > > > I cannot understand why they left that out of Apache when compiling > > for Windows.... > > > > > > I'm sure there is a good reason. I have yet to see ASF do anything > without one. > no comment ;) > > Maybe someone else can articulate the rationale. > * Windows doesn't come with a crypt()-equivalent API. (Or didn't for a long time??????) * APR-Util doesn't support any third-party libraries for crypt()-equivalence on Windows. * Consumers of APR-Util like htpasswd don't think crypt()-equivalent is available on Windows and would need to use some different construct to detect availability of crypt()-equivalent passwords in APR-Util. * Somehow we made it this long without [m]any people caring. The work could be done, of course... Whether crypt()-ed passwords are important enough now to justify the effort from a volunteer as well as the work of the related projects to review and test the code is unclear... > > Bummer! > > -Ben > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Born in Roswell... married an alien... http://emptyhammock.com/
