On 5/2/2013 2:19 PM, Ben Johnson wrote: > > > On 5/2/2013 1:50 PM, Bo Berglund wrote: >> I am trying to understand the use of MD5 as passwords for Apache, >> previously I have always used CRYPT:ed passwords in my .htpasswd file. >> Because Apache on Windows does not allow CRYPT:ed passwords (see >> earlier thread) I am investigating the MD5 possibility. >> The problem I have is that I need to let my code generate the hashes >> written to the .htpasswd file in such a way that Apache will be OK >> with them. >> When reading the PHP documentation I find that the output of the md5() >> function is a 32 byte hex string. >> But the hash generated by the Apache htpasswd command on Windows >> produces hashes like this: >> $apr1$44sXxXbW$ZUtMUVZGDp1wSR6dEFguq0 >> >> As you can see this is clearly NOT a hex string at all!!! >> >> So is it possible with PHP to generate the .htpasswd file in a format >> that comlies with what Apache needs? >> >> And can PHP check if a password hash matches the user supplied >> password after it has been hashed using MD5? >> >> > > Hi again, Bo, > > Yes, it is possible for PHP to generate the .htpasswd file by calling a > standalone binary directly (e.g., with proc_open() or other functions in > the same family). > > Likewise, PHP can validate the hash using the same method. > >>From the manual page that I cited in a previous response ( > http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic ): > > ----------------------------------------------------------------------- > "$apr1$" + the result of an Apache-specific algorithm using an iterated > (1,000 times) MD5 digest of various combinations of a random 32-bit salt > and the password. See the APR source file apr_md5.c for the details of > the algorithm. > > [...] > > Generating values with htpasswd > > MD5 > > $ htpasswd -nbm myName myPassword > myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ > > [...] > > Generating CRYPT and MD5 values with the OpenSSL command-line program > > OpenSSL knows the Apache-specific MD5 algorithm. > > MD5 > > $ openssl passwd -apr1 myPassword > $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 > > [...] > > Validating CRYPT or MD5 passwords with the OpenSSL command line program > > The salt for an MD5 password is between $apr1$ and the following $ (as a > Base64-encoded binary value - max 8 chars). To validate myPassword > against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ > > MD5 > > $ openssl passwd -apr1 -salt r31..... myPassword > $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ > > ----------------------------------------------------------------------- > > So, at a minimum, it seems that you should be able to generate > Apache-readable hashes using the either the Apache-provided utility > binary, htpasswd, or the "openssl" binary. Given that openssl is > available for most (or all) platforms, including Windows, one of the two > should be sufficient. > > I grabbed openSSL from http://slproweb.com/products/Win32OpenSSL.html . > > Trying htpasswd first: > > Generate password: > > htpasswd -nbm myName myPassword > myName:$apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1 > > Validate password: > > openssl passwd -apr1 -salt QF/F.cm5 myPassword > $apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1 > > (the hashes match; the password is valid) > > Trying openssl next: > > openssl passwd -apr1 myPassword > $apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/ > > openssl passwd -apr1 -salt f/X4Z7kl myPassword > $apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/ > > (the hashes match; the password is valid) > > This should be everything you need. > > -Ben
P.S. I advise you not to try to write-out your htpasswd files using pure PHP. It seems much more sound to use the Apache-provided utility executables to manipulate htpasswd and related files. In other words, use PHP's proc_open() or similar to call the appropriate utility to manipulate the Apache files. I think you would have a hell of a time trying to recreate in PHP all the functionality that *already exists* in those utilities. Good luck -Ben --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
