You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Patrick Welche <pr...@newn.cam.ac.uk> on 2007/01/06 19:48:48 UTC
mod_authn_dbd and apr_password_validate
I was just trying 4 Jan 20:33 -head httpd, with apr/apr-util of 28 Dec,
to try out mod_authn_dbd with the following configuration:
DBDriver pgsql
DBDParams "dbname=passtest user=prlw1"
<IfModule mod_authn_dbd.c>
<Directory "/usr/local/share/httpd/htdocs/webfolder">
AuthType Basic
AuthName "What's this?"
AuthBasicProvider dbd
Require valid-user
AuthDBDUserPWQuery "select prefname from person where userid=%s"
</Directory>
</IfModule>
Now, try as I might, my password is never accepted. I assumed database
problems etc., but all checked OK. Then I tried:
Index: mod_authn_dbd.c
===================================================================
--- mod_authn_dbd.c (revision 492725)
+++ mod_authn_dbd.c (working copy)
@@ -161,6 +161,8 @@
if (!dbd_password) {
return AUTH_USER_NOT_FOUND;
}
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+ "Comparing \"%s\" with \"%s\"", password, dbd_password);
rv = apr_password_validate(password, dbd_password);
and saw in the logs:
[Sat Jan 06 00:55:35 2007] [error] [client ::1] (-1)Unknown error: 4294967295: Comparing "Patrick" with "Patrick"
[Sat Jan 06 00:55:35 2007] [error] [client ::1] user prlw1: authentication failure for "/webfolder": Password Mismatch
So, it seems that mod_authn_dbd managed to get the password from the web
browser, and from the database.
Now, in apr-util/crypto/apr_md5.c, I see:
/*
* Validate a plaintext password against a smashed one. Uses either
* crypt() (if available) or apr_md5_encode() or apr_sha1_base64(), depending
* upon the format of the smashed input password. Returns APR_SUCCESS if
* they match, or APR_EMISMATCH if they don't. If the platform doesn't
* support crypt, then the default check is against a clear text string.
*/
APU_DECLARE(apr_status_t) apr_password_validate(const char *passwd,
const char *hash)
but here, it looks as though we have to validate a plaintext password against
a plaintext password.
What am I missing?
Cheers,
Patrick
Re: mod_authn_dbd and apr_password_validate
Posted by Ruediger Pluem <rp...@apache.org>.
On 01/08/2007 05:08 PM, Patrick Welche wrote:
>
>
> First an apology for posting to dev: I thought there was at least a
> documentation issue, but no:
>
> AuthDBDUserPWQuery Directive
> ...
> SQL varchar) argument (username), and return a single value (encrypted
> password). ^^^^^^^^^
>
> I am still searching for a way to get an encrypted password to be accepted..
> With
>
> AuthDBDUserPWQuery "select md5(prefname) from person where userid=%s"
>
> I get
>
> [Mon Jan 08 16:04:41 2007] [error] [client ::1] (-1)Unknown error: 4294967295: Comparing "Patrick" with "f87567f2159b425795ebb7ba9bc406ec"
> [Mon Jan 08 16:04:41 2007] [error] [client ::1] user prlw1: authentication failure for "/webfolder": Password Mismatch
apr_password_validate or better apr_md5_encode does not simply apply MD5 to the password, but mixes it with a salt.
Furthermore the password hash needs to start with a 'marker' string to inform apr_password_validate which hash algorithm
it should use. If none is specified it falls back to crypt.
>
> and with
>
> AuthDBDUserPWQuery "select encode(digest(prefname,'sha1'),'hex') from person where userid=%s"
>From my quick view at the apr-util code I would guess that the following should work:
AuthDBDUserPWQuery "select '{SHA}'||encode(digest(prefname,'sha1'),'hex') from person where userid=%s"
Regards
RĂ¼diger
Re: mod_authn_dbd and apr_password_validate
Posted by Patrick Welche <pr...@newn.cam.ac.uk>.
On Mon, Jan 08, 2007 at 09:10:52PM +0000, Nick Kew wrote:
> On Mon, 8 Jan 2007 16:08:51 +0000
> Patrick Welche <pr...@newn.cam.ac.uk> wrote:
>
>
> > so what sort of password does apr_password_validate accept?
>
> Those created with htpasswd is a simple answer.
Would the following patch be acceptable? (So that one has a clue on how
to populate the database.)
Cheers,
Patrick
Re: mod_authn_dbd and apr_password_validate
Posted by Nick Kew <ni...@webthing.com>.
On Mon, 8 Jan 2007 16:08:51 +0000
Patrick Welche <pr...@newn.cam.ac.uk> wrote:
> so what sort of password does apr_password_validate accept?
Those created with htpasswd is a simple answer.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
Re: mod_authn_dbd and apr_password_validate
Posted by Patrick Welche <pr...@newn.cam.ac.uk>.
On Sat, Jan 06, 2007 at 02:59:47PM -0500, Brian J. France wrote:
> That mod_authn_dbd is assuming your database password is not plain
> text, but smashed (crypt, md5, sh1). I ran into the same issue and
> created this:
>
> http://www.brianfrance.com/software/apache/mod_authn_dbd.c.diff
>
> Apply the patch and add this to your config:
>
> AuthDBDPlainTextPasswords on
>
> and you should be set.
First an apology for posting to dev: I thought there was at least a
documentation issue, but no:
AuthDBDUserPWQuery Directive
...
SQL varchar) argument (username), and return a single value (encrypted
password). ^^^^^^^^^
I am still searching for a way to get an encrypted password to be accepted..
With
AuthDBDUserPWQuery "select md5(prefname) from person where userid=%s"
I get
[Mon Jan 08 16:04:41 2007] [error] [client ::1] (-1)Unknown error: 4294967295: Comparing "Patrick" with "f87567f2159b425795ebb7ba9bc406ec"
[Mon Jan 08 16:04:41 2007] [error] [client ::1] user prlw1: authentication failure for "/webfolder": Password Mismatch
and with
AuthDBDUserPWQuery "select encode(digest(prefname,'sha1'),'hex') from person where userid=%s"
I get
[Mon Jan 08 16:03:15 2007] [error] [client ::1] (-1)Unknown error: 4294967295: Comparing "Patrick" with "57ad79649b677cf8f889ba6dc5fb4f98ada2767e"
[Mon Jan 08 16:03:15 2007] [error] [client ::1] user prlw1: authentication failure for "/webfolder": Password Mismatch
and just to check:
% echo -n Patrick | md5
f87567f2159b425795ebb7ba9bc406ec
% echo -n Patrick | sha1
57ad79649b677cf8f889ba6dc5fb4f98ada2767e
so what sort of password does apr_password_validate accept?
Thankfully your patch gets me out of trouble allowing plaintext passwords.
Thank you,
Patrick
Re: mod_authn_dbd and apr_password_validate
Posted by "Brian J. France" <li...@firehawksystems.com>.
On Jan 6, 2007, at 1:48 PM, Patrick Welche wrote:
> /*
> * Validate a plaintext password against a smashed one. Uses either
> * crypt() (if available) or apr_md5_encode() or apr_sha1_base64(),
> depending
> * upon the format of the smashed input password. Returns
> APR_SUCCESS if
> * they match, or APR_EMISMATCH if they don't. If the platform
> doesn't
> * support crypt, then the default check is against a clear text
> string.
> */
> APU_DECLARE(apr_status_t) apr_password_validate(const char *passwd,
> const char *hash)
>
>
> but here, it looks as though we have to validate a plaintext
> password against
> a plaintext password.
>
> What am I missing?
That mod_authn_dbd is assuming your database password is not plain
text, but smashed (crypt, md5, sh1). I ran into the same issue and
created this:
http://www.brianfrance.com/software/apache/mod_authn_dbd.c.diff
Apply the patch and add this to your config:
AuthDBDPlainTextPasswords on
and you should be set.
Brian