You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Bo Berglund <bo...@telia.com> on 2006/08/22 19:32:22 UTC
[users@httpd] How to enable Crypt in .htpasswd on Windows (Apache 2.0.54)?
I have a published website with several protected directories using
various .htaccess/.htpasswd files. It has been working fine for about
10 years. The server is on a commercial webhost using Apache on Unix.
I keep a mirror of the official website locally on a Windows 2003 PC
and all works well except the user authentication, which is a PITA to
get working.
I dug down into this recently (again) and found that I can make it
work if I redo all of the .htpasswd files using the htpasswd.exe
program from the Apache installation, but I really do not want to
search for all these thousands of passwords and redo the file....
The catch is that all of the passwords are created using Crypt and by
some magic decision the Apache server on Windows seems not to
recognize these. It requires MD5 password storage instead. At least by
default.
The htpasswd.exe file that ships with Apache refuses completely to
create Crypted passwords even though I use that command line switch.
It displays that it will use MD5 instead.
My question is simply this, HOW can I enable Apache on Windows to
accept Crypted passwords in the .htpasswd file?
/Bo
Bo Berglund
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: How to enable Crypt in .htpasswd on Windows (Apache 2.0.54)?
Posted by Bo Berglund <bo...@telia.com>.
On Tue, 22 Aug 2006 13:30:48 -0500, "William A. Rowe, Jr."
<wr...@rowe-clan.net> wrote:
>Joshua Slive wrote:
>> On 8/22/06, Bo Berglund <bo...@telia.com> wrote:
>>> I have a published website with several protected directories using
>>> various .htaccess/.htpasswd files. It has been working fine for about
>>> 10 years. The server is on a commercial webhost using Apache on Unix.
>>>
>>> I keep a mirror of the official website locally on a Windows 2003 PC
>>> and all works well except the user authentication, which is a PITA to
>>> get working.
>>
>> The problem is that apache never provides crypt() directly. It simply
>> uses it if it is provided by the underlying OS. And Windows does not
>> have crypt().
>
>It sounds, if you are just testing, like you create a few test users that
>belong to the different groups in your schema, and create them with md5
>passwords. The htpasswd default is now md5, but as you say, going back
>10 years this wasn't so. And it turns out not all crypt()s are equal
>either, so even moving from one variant of unix to another could break
>your password file in this same way.
>
>That's why the default shifted to md5's which behaves the same on all
>platforms. If you have perl script creating the passwords, look at
>the package Crypt-MD5PasswdMD5 which crypts md5 apache-style passwords.
>
I was afraid this was the solution....
In fact we are planning on moving away from the web host and publish
our own server but then we would have to go Windows2003 because noone
here knows anything about how to maintain Linux PC:s.
So my task will then be to find the cleartext passwords going back
those years and recreate a md5 .htpasswd file.
So my experimentation on the development server has a purpose in the
future...
Thanks for the information!
/Bo
Bo Berglund
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to enable Crypt in .htpasswd on Windows (Apache
2.0.54)?
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Joshua Slive wrote:
> On 8/22/06, Bo Berglund <bo...@telia.com> wrote:
>> I have a published website with several protected directories using
>> various .htaccess/.htpasswd files. It has been working fine for about
>> 10 years. The server is on a commercial webhost using Apache on Unix.
>>
>> I keep a mirror of the official website locally on a Windows 2003 PC
>> and all works well except the user authentication, which is a PITA to
>> get working.
>
> The problem is that apache never provides crypt() directly. It simply
> uses it if it is provided by the underlying OS. And Windows does not
> have crypt().
It sounds, if you are just testing, like you create a few test users that
belong to the different groups in your schema, and create them with md5
passwords. The htpasswd default is now md5, but as you say, going back
10 years this wasn't so. And it turns out not all crypt()s are equal
either, so even moving from one variant of unix to another could break
your password file in this same way.
That's why the default shifted to md5's which behaves the same on all
platforms. If you have perl script creating the passwords, look at
the package Crypt-MD5PasswdMD5 which crypts md5 apache-style passwords.
Bill
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to enable Crypt in .htpasswd on Windows (Apache 2.0.54)?
Posted by Joshua Slive <jo...@slive.ca>.
On 8/22/06, Bo Berglund <bo...@telia.com> wrote:
> I have a published website with several protected directories using
> various .htaccess/.htpasswd files. It has been working fine for about
> 10 years. The server is on a commercial webhost using Apache on Unix.
>
> I keep a mirror of the official website locally on a Windows 2003 PC
> and all works well except the user authentication, which is a PITA to
> get working.
>
> I dug down into this recently (again) and found that I can make it
> work if I redo all of the .htpasswd files using the htpasswd.exe
> program from the Apache installation, but I really do not want to
> search for all these thousands of passwords and redo the file....
>
> The catch is that all of the passwords are created using Crypt and by
> some magic decision the Apache server on Windows seems not to
> recognize these. It requires MD5 password storage instead. At least by
> default.
> The htpasswd.exe file that ships with Apache refuses completely to
> create Crypted passwords even though I use that command line switch.
> It displays that it will use MD5 instead.
>
> My question is simply this, HOW can I enable Apache on Windows to
> accept Crypted passwords in the .htpasswd file?
The problem is that apache never provides crypt() directly. It simply
uses it if it is provided by the underlying OS. And Windows does not
have crypt().
The best way to handle this is to always use one of the other
algorithms, both on windows and on unix. But it may be too late for
you. I don't know of any other solutions.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org