You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Owen Boyle <ob...@bourse.ch> on 2002/04/16 15:27:53 UTC
Re: basic authentication in apache 1.3.19 ignoring more than 8characters
in the password.
Pete Nelson wrote:
>
> I just tested this on Apache 1.3.22 on RedHat 6.2 and Apache 1.3.24 on
> Win2k, and both happily took a 19-character password
> (thisisalongpassword). I am pretty confident that it should also work
> on Apache 1.3.19 on most platforms.
Did you test whether all the characters were significant? AFAIK, apache
uses the system passwd utility which is sensitive only to the first 8
chars. You can put in more if you like but they are not significant. In
other words, "thisisalongpassword" and "thisisalxxxxxxxxx" are the same.
Rgds,
Owen Boyle.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: basic authentication in apache 1.3.19 ignoring more than 8characters in the password.
Posted by Milind Sawant <mi...@skandiabank.ch>.
Hi
thanks for your concern
The Basic Authentication in apache uses the htpasswd utility to generate
passwords.
A) The default option is -d ( Force CRYPT encryption of the password ) .
you can create a password of more that 8 characters.
But only the first 8 characters are relevant.
as owen boyle has righly pointed out , if "xxxxxxxxYBDCDC" is your password
and on authentication
if you supply "xxxxxxxxADBDD" as the password , you can log in.
B) Using other options like -m (MD5 encryption ) and -s (SHA encyption) dont
work.
i can generate the password but get a password mismatch error on
authentication.
Do you have the same experience?
Milind
Milind Sawant
Web Administrator (Apollo)
TCS
+0041 1 288 4675
-----Original Message-----
From: obo@bourse.ch [mailto:obo@bourse.ch]
Sent: 16 April 2002 15:28
To: users@httpd.apache.org
Subject: Re: basic authentication in apache 1.3.19 ignoring more than
8characters in the password.
Pete Nelson wrote:
>
> I just tested this on Apache 1.3.22 on RedHat 6.2 and Apache 1.3.24 on
> Win2k, and both happily took a 19-character password
> (thisisalongpassword). I am pretty confident that it should also work
> on Apache 1.3.19 on most platforms.
Did you test whether all the characters were significant? AFAIK, apache
uses the system passwd utility which is sensitive only to the first 8
chars. You can put in more if you like but they are not significant. In
other words, "thisisalongpassword" and "thisisalxxxxxxxxx" are the same.
Rgds,
Owen Boyle.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org