You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wiki-changes@httpd.apache.org by Apache Wiki <wi...@apache.org> on 2007/09/08 16:42:53 UTC
[Httpd Wiki] Update of "EncryptedPasswords" by noodl
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by noodl:
http://wiki.apache.org/httpd/EncryptedPasswords
The comment on the change is:
Deleted, save for a note about new home.
------------------------------------------------------------------------------
## page was renamed from Encrypted Password
- '''Note:''' This page is being added to the main docs, at http://httpd.apache.org/docs/trunk/misc/password_encryptions.html. noodl will monitor any changes here for a week before removing this page, beyond which point any suggestions should be sent to the docs@httpd.apache.org list.
+ Moved to http://httpd.apache.org/docs/trunk/misc/password_encryptions.html
- = Basic Authentication =
- There are four formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform:
-
- 1. '''PLAIN TEXT''' ''(i.e. unencrypted)'' passwords: __Windows, BEOS, & Netware only__.
- 2. '''CRYPT''' passwords: __Unix only__. Uses the traditional Unix {{{crypt(3)}}} function with a random 32-bit salt ~-(only 12 bits used)-~ and the first 8 characters of the password.
- 3. '''SHA1''' passwords: {{{"{SHA}"}}} + Base64-encoded SHA-1 digest of the password.
- 4. '''MD5''' passwords: {{{"$apr1$"}}} + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file [http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup apr_md5.c] for the details of the algorithm.
-
- ==== The htpasswd program can be used to generate values ====
- * '''MD5'''
- {{{
- htpasswd -nbm myName myPassword
- myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
- }}}
- * '''SHA1'''
- {{{
- htpasswd -nbs myName myPassword
- myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=
- }}}
- * '''CRYPT'''
- {{{
- htpasswd -nbd myName myPassword
- myName:rqXexS6ZhobKA
- }}}
- ==== The OpenSSL command-line program can also be used to generate CRYPT and MD5 values ====
- OpenSSL knows the Apache-specific MD5 algorithm.
- * '''MD5'''
- {{{
- openssl passwd -apr1 myPassword
- $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
- }}}
- * '''CRYPT'''
- {{{
- openssl passwd -crypt myPassword
- qQ5vTYO3c8dsU
- }}}
-
- ==== The OpenSSL command line program can be used to validate CRYPT or MD5 passwords ====
- * '''CRYPT'''
- The salt for a CRYPT password is the first two characters ~-(converted to a binary value)-~.
-
- To validate {{{myPassword}}} against {{{rqXexS6ZhobKA}}}
- {{{
- openssl passwd -crypt -salt rq myPassword
- Warning: truncating password to 8 characters
- rqXexS6ZhobKA
- }}}
- Note that using {{{myPasswo}}} instead of {{{myPassword}}} will produce the same result because only the first 8 characters of CRYPT passwords are considered.
-
- * '''MD5'''
- The salt for an MD5 password is between {{{$apr1$}}} and the following {{{$}}} ~-(converted to a binary value - max 8 chars)-~.
-
- To validate {{{myPassword}}} against {{{$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/}}}
- {{{
- openssl passwd -apr1 -salt r31..... myPassword
- $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
- }}}
- === Database password fields for mod_dbd ===
- The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1 and Base64 functions are commonly available, other software can populate a database with encrypted passwords which are usable by Apache basic authentication.
-
- ==== To create Apache SHA1-variant basic-authentication passwords in other languages ====
- * '''PHP'''
- {{{'{SHA}' . base64_encode(sha1($password, TRUE))
- }}}
- * '''Java'''
- {{{"{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes()))
- }}}
- * '''!ColdFusion'''
- {{{"{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex"))
- }}}
- * '''Ruby'''
- {{{require 'digest/sha1'
- require 'base64'
- '{SHA}' + Base64.encode64(Digest::SHA1.digest(password))
- }}}
- * '''C or C++'''
- Use the APR function: [http://apr.apache.org/docs/apr-util/1.2/apr__sha1_8h.html#38a5ac487992a24e941b7501273829e8 void apr_sha1_base64(const char *clear, int len, char *out)]
- * '''PostgreSQL''' ''(with the contrib/pgcrypto functions installed)''
- {{{'{SHA}'||encode(digest(password,'sha1'),'base64')
- }}}
-
-
- = Digest Authentication =
- Apache only recognizes one format for digest-authentication passwords - the MD5 hash of the string {{{user:realm:password}}} as a 32-character string of hexadecimal digits.
-
- {{{realm}}} is the '''Authorization Realm''' argument to the AuthName directive.
-
- === Database password fields for mod_dbd ===
- Since the MD5 function is commonly available, other software can populate a database with encrypted passwords which are usable by Apache digest authentication.
-
- ==== To create Apache digest-authentication passwords in other languages ====
- * '''PHP'''
- {{{md5($user . ':' . $realm . ':' .$password)
- }}}
- * '''Java'''
- {{{byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());
- java.math.BigInteger bi = new java.math.BigInteger(b);
- String s = bi.toString(16);
- if (s.length() % 2 != 0) s = "0" + s;
- // String s is the encrypted password
- }}}
- * '''!ColdFusion'''
- {{{LCase(Hash( (user & ":" & realm & ":" & password) , "MD5"))
- }}}
- * '''Ruby'''
- {{{require 'digest/md5'
- Digest::MD5.hexdigest(user + ':' + realm + ':' + password)
- }}}
- * '''PostgreSQL''' ''(with the contrib/pgcrypto functions installed)''
- {{{
- encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex')
- }}}
-