You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ma...@nl.abnamro.com on 2005/08/11 12:24:06 UTC
[users@httpd] Authentication on Solaris fails when password > 8 chars and using MD5
encoded passwords (or digest)
Hi,
I've looked through FAQ and bugdatabase but I could not find a reference to
the following problem
When adding a user to my AuthUserFile wtih a password > 8 chars that is MD5
hashed (-m option to htpasswd) on Solaris authentication to the webserver
will fail. This is caused by the fact that htpasswd (or htdigest) use
getpass() (in ap_getpass::ap_getpass.c) to have the user enter their
password. getpass on Solaris accepts passwordstringlengths up to 8 chars
(PASS_MAX) the rest is truncated.
During password verification the truncated string is matched against the
full password send by the client which will fail of course (With crypt this
is not a problem since crypt() will also use the first 8 chars only)
When replacing getpass() with getpassphrase() on Solaris (does the same but
with passwords up to 256 chars) all works fine but this is not a portable
solution I guess.
Another option would be truncating the password that the client had send to
8 chars before validating (but many people like longer passwords for their
better strength)
Any thoughts for a portable fix?
THNX
Marcel
---------------------------------------------------------------------------
This message (including any attachments) is confidential and may be
privileged. If you have received it by mistake please notify the sender by
return e-mail and delete this message from your system. Any unauthorised
use or dissemination of this message in whole or in part is strictly
prohibited. Please note that e-mails are susceptible to change.
ABN AMRO Bank N.V. (including its group companies) shall not be liable for
the improper or incomplete transmission of the information contained in
this communication nor for any delay in its receipt or damage to your
system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that
the integrity of this communication has been maintained nor that this
communication is free of viruses, interceptions or interference.
---------------------------------------------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Authentication on Solaris fails when password > 8 chars and using MD5 encoded passwords (or digest)
Posted by Joe Orton <jo...@redhat.com>.
On Thu, Aug 11, 2005 at 12:24:06PM +0200, marcel.kuiper@nl.abnamro.com wrote:
> When replacing getpass() with getpassphrase() on Solaris (does the same but
> with passwords up to 256 chars) all works fine but this is not a portable
> solution I guess.
> Another option would be truncating the password that the client had send to
> 8 chars before validating (but many people like longer passwords for their
> better strength)
>
> Any thoughts for a portable fix?
2.0.x (really, APR) will use getpassphrase() if available.
Regards,
joe
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org