On 5/2/2013 1:50 PM, Bo Berglund wrote: > I am trying to understand the use of MD5 as passwords for Apache, > previously I have always used CRYPT:ed passwords in my .htpasswd file. > Because Apache on Windows does not allow CRYPT:ed passwords (see > earlier thread) I am investigating the MD5 possibility. > The problem I have is that I need to let my code generate the hashes > written to the .htpasswd file in such a way that Apache will be OK > with them. > When reading the PHP documentation I find that the output of the md5() > function is a 32 byte hex string. > But the hash generated by the Apache htpasswd command on Windows > produces hashes like this: > $apr1$44sXxXbW$ZUtMUVZGDp1wSR6dEFguq0 > > As you can see this is clearly NOT a hex string at all!!! > > So is it possible with PHP to generate the .htpasswd file in a format > that comlies with what Apache needs? > > And can PHP check if a password hash matches the user supplied > password after it has been hashed using MD5? > >
Hi again, Bo, Yes, it is possible for PHP to generate the .htpasswd file by calling a standalone binary directly (e.g., with proc_open() or other functions in the same family). Likewise, PHP can validate the hash using the same method. >From the manual page that I cited in a previous response ( http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic ): ----------------------------------------------------------------------- "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file apr_md5.c for the details of the algorithm. [...] Generating values with htpasswd MD5 $ htpasswd -nbm myName myPassword myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ [...] Generating CRYPT and MD5 values with the OpenSSL command-line program OpenSSL knows the Apache-specific MD5 algorithm. MD5 $ openssl passwd -apr1 myPassword $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 [...] Validating CRYPT or MD5 passwords with the OpenSSL command line program The salt for an MD5 password is between $apr1$ and the following $ (as a Base64-encoded binary value - max 8 chars). To validate myPassword against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ MD5 $ openssl passwd -apr1 -salt r31..... myPassword $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ ----------------------------------------------------------------------- So, at a minimum, it seems that you should be able to generate Apache-readable hashes using the either the Apache-provided utility binary, htpasswd, or the "openssl" binary. Given that openssl is available for most (or all) platforms, including Windows, one of the two should be sufficient. I grabbed openSSL from http://slproweb.com/products/Win32OpenSSL.html . Trying htpasswd first: Generate password: htpasswd -nbm myName myPassword myName:$apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1 Validate password: openssl passwd -apr1 -salt QF/F.cm5 myPassword $apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1 (the hashes match; the password is valid) Trying openssl next: openssl passwd -apr1 myPassword $apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/ openssl passwd -apr1 -salt f/X4Z7kl myPassword $apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/ (the hashes match; the password is valid) This should be everything you need. -Ben --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
