You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Patrick Welche <pr...@newn.cam.ac.uk> on 2007/01/06 19:48:48 UTC

mod_authn_dbd and apr_password_validate

I was just trying 4 Jan 20:33 -head httpd, with apr/apr-util of 28 Dec,
to try out mod_authn_dbd with the following configuration:

DBDriver pgsql
DBDParams "dbname=passtest user=prlw1"
<IfModule mod_authn_dbd.c>
<Directory "/usr/local/share/httpd/htdocs/webfolder">
AuthType Basic
AuthName "What's this?"
AuthBasicProvider dbd
Require valid-user
AuthDBDUserPWQuery "select prefname from person where userid=%s"
</Directory>
</IfModule>

Now, try as I might, my password is never accepted. I assumed database
problems etc., but all checked OK. Then I tried:

Index: mod_authn_dbd.c
===================================================================
--- mod_authn_dbd.c     (revision 492725)
+++ mod_authn_dbd.c     (working copy)
@@ -161,6 +161,8 @@
     if (!dbd_password) {
         return AUTH_USER_NOT_FOUND;
     }
+    ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+              "Comparing \"%s\" with \"%s\"", password, dbd_password);
 
     rv = apr_password_validate(password, dbd_password);
 

and saw in the logs:

[Sat Jan 06 00:55:35 2007] [error] [client ::1] (-1)Unknown error: 4294967295: Comparing "Patrick" with "Patrick"
[Sat Jan 06 00:55:35 2007] [error] [client ::1] user prlw1: authentication failure for "/webfolder": Password Mismatch

So, it seems that mod_authn_dbd managed to get the password from the web
browser, and from the database.

Now, in apr-util/crypto/apr_md5.c, I see:

/*
 * Validate a plaintext password against a smashed one.  Uses either
 * crypt() (if available) or apr_md5_encode() or apr_sha1_base64(), depending
 * upon the format of the smashed input password.  Returns APR_SUCCESS if
 * they match, or APR_EMISMATCH if they don't.  If the platform doesn't
 * support crypt, then the default check is against a clear text string.
 */
APU_DECLARE(apr_status_t) apr_password_validate(const char *passwd,
                                                const char *hash)


but here, it looks as though we have to validate a plaintext password against
a plaintext password.

What am I missing?

Cheers,

Patrick

Re: mod_authn_dbd and apr_password_validate

Posted by Ruediger Pluem <rp...@apache.org>.


On 01/08/2007 05:08 PM, Patrick Welche wrote:

> 
> 
> First an apology for posting to dev: I thought there was at least a
> documentation issue, but no:
> 
> AuthDBDUserPWQuery Directive
> ...
>    SQL varchar) argument (username), and return a single value (encrypted
>    password).                                                   ^^^^^^^^^
> 
> I am still searching for a way to get an encrypted password to be accepted..
> With
> 
> AuthDBDUserPWQuery "select md5(prefname) from person where userid=%s"
> 
> I get
> 
> [Mon Jan 08 16:04:41 2007] [error] [client ::1] (-1)Unknown error: 4294967295: Comparing "Patrick" with "f87567f2159b425795ebb7ba9bc406ec"
> [Mon Jan 08 16:04:41 2007] [error] [client ::1] user prlw1: authentication failure for "/webfolder": Password Mismatch

apr_password_validate or better apr_md5_encode does not simply apply MD5 to the password, but mixes it with a salt.
Furthermore the password hash needs to start with a 'marker' string to inform apr_password_validate which hash algorithm
it should use. If none is specified it falls back to crypt.

> 
> and with
> 
> AuthDBDUserPWQuery "select encode(digest(prefname,'sha1'),'hex') from person where userid=%s"

>From my quick view at the apr-util code I would guess that the following should work:

AuthDBDUserPWQuery "select '{SHA}'||encode(digest(prefname,'sha1'),'hex') from person where userid=%s"

Regards

Rüdiger

Re: mod_authn_dbd and apr_password_validate

Posted by Patrick Welche <pr...@newn.cam.ac.uk>.

On Mon, Jan 08, 2007 at 09:10:52PM +0000, Nick Kew wrote:
> On Mon, 8 Jan 2007 16:08:51 +0000
> Patrick Welche <pr...@newn.cam.ac.uk> wrote:
> 
> 
> > so what sort of password does apr_password_validate accept?
> 
> Those created with htpasswd is a simple answer.

Would the following patch be acceptable? (So that one has a clue on how
to populate the database.)

Cheers,

Patrick

Re: mod_authn_dbd and apr_password_validate

Posted by Nick Kew <ni...@webthing.com>.

On Mon, 8 Jan 2007 16:08:51 +0000
Patrick Welche <pr...@newn.cam.ac.uk> wrote:


> so what sort of password does apr_password_validate accept?

Those created with htpasswd is a simple answer.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Re: mod_authn_dbd and apr_password_validate

Posted by Patrick Welche <pr...@newn.cam.ac.uk>.

On Sat, Jan 06, 2007 at 02:59:47PM -0500, Brian J. France wrote:
> That mod_authn_dbd is assuming your database password is not plain  
> text, but smashed (crypt, md5, sh1).  I ran into the same issue and  
> created this:
> 
>   http://www.brianfrance.com/software/apache/mod_authn_dbd.c.diff
> 
> Apply the patch and add this to your config:
> 
>   AuthDBDPlainTextPasswords on
> 
> and you should be set.

First an apology for posting to dev: I thought there was at least a
documentation issue, but no:

AuthDBDUserPWQuery Directive
...
   SQL varchar) argument (username), and return a single value (encrypted
   password).                                                   ^^^^^^^^^

I am still searching for a way to get an encrypted password to be accepted..
With

AuthDBDUserPWQuery "select md5(prefname) from person where userid=%s"

I get

[Mon Jan 08 16:04:41 2007] [error] [client ::1] (-1)Unknown error: 4294967295: Comparing "Patrick" with "f87567f2159b425795ebb7ba9bc406ec"
[Mon Jan 08 16:04:41 2007] [error] [client ::1] user prlw1: authentication failure for "/webfolder": Password Mismatch

and with

AuthDBDUserPWQuery "select encode(digest(prefname,'sha1'),'hex') from person where userid=%s"

I get

[Mon Jan 08 16:03:15 2007] [error] [client ::1] (-1)Unknown error: 4294967295: Comparing "Patrick" with "57ad79649b677cf8f889ba6dc5fb4f98ada2767e"
[Mon Jan 08 16:03:15 2007] [error] [client ::1] user prlw1: authentication failure for "/webfolder": Password Mismatch

and just to check:

% echo -n Patrick | md5
f87567f2159b425795ebb7ba9bc406ec
% echo -n Patrick | sha1
57ad79649b677cf8f889ba6dc5fb4f98ada2767e

so what sort of password does apr_password_validate accept?

Thankfully your patch gets me out of trouble allowing plaintext passwords.

Thank you,

Patrick

Re: mod_authn_dbd and apr_password_validate

Posted by "Brian J. France" <li...@firehawksystems.com>.

On Jan 6, 2007, at 1:48 PM, Patrick Welche wrote:
> /*
>  * Validate a plaintext password against a smashed one.  Uses either
>  * crypt() (if available) or apr_md5_encode() or apr_sha1_base64(),  
> depending
>  * upon the format of the smashed input password.  Returns  
> APR_SUCCESS if
>  * they match, or APR_EMISMATCH if they don't.  If the platform  
> doesn't
>  * support crypt, then the default check is against a clear text  
> string.
>  */
> APU_DECLARE(apr_status_t) apr_password_validate(const char *passwd,
>                                                 const char *hash)
>
>
> but here, it looks as though we have to validate a plaintext  
> password against
> a plaintext password.
>
> What am I missing?

That mod_authn_dbd is assuming your database password is not plain  
text, but smashed (crypt, md5, sh1).  I ran into the same issue and  
created this:

   http://www.brianfrance.com/software/apache/mod_authn_dbd.c.diff

Apply the patch and add this to your config:

   AuthDBDPlainTextPasswords on

and you should be set.

Brian