You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Bo Berglund <bo...@gmail.com> on 2013/04/30 17:12:07 UTC
[users@httpd] Re: Cannot get Apache 2 basic authentication working with CRYPT on Win7
On Tue, 30 Apr 2013 10:31:07 -0400, Ben Johnson <be...@indietorrent.org>
wrote:
>
>
>On 4/30/2013 9:06 AM, Bo Berglund wrote:
>> I have a local Apache 2.2 server on my development PC. It is running
>> on Windows7X64.
>> Some of our folders are protected and we use .htpasswd files to
>> authenticate the users with CRYPT-ed passwords.
>> THe whole website is version controlled in CVS and I work on a checked
>> out copy of the website.
>>
>> Now I need to develop some PHP scripts and these need to know which
>> user is logged on so for debugging I must get the authentication
>> going.
>> But so far I have been out of luck using the file with CRYPT:ed
>> passwords.
>>
>> I discovered:
>> If I use the htpasswd command to create a password on the Win7 box it
>> seems to totally disregard the command line switch to make a CRYPT
>> password, instead it always forces use of MD5.
>>
>> On the real server (at Network Solutions) the normal .htpasswd file
>> works just fine.
>>
>> How can I make Apache2.2 on Win7X64 use the existing passwords so I
>> can continue developing the PHP scripts?
>>
>>
>
>Hi, Bo,
>
>While I can't identify the cause of your issue readily, I can suggest a
>fine alternative: use database authentication instead.
>
>Here's an excerpt from a blog comment that I wrote some time ago; it
>should steer you in the right direction if you are open to my suggestion.
>
>From:
>http://www.pitr.net/index.php/2007/08/08/internal-error-pcfg_openfile-called-with-null-filename/
>---------------------------------------------------------------
>[...] Windows users do not have the ability to specify "AuthUserFile
>/dev/null". Furthermore, that is an undesirable solution (as others have
>noted). This is the appropriate method, provided as a complete example:
>
><Directory />
> Options FollowSymLinks
> AllowOverride None
> Order deny,allow
> Deny from all
> Satisfy all
> AuthBasicProvider dbm
> AuthDBMType SDBM
> AuthName "Protected Area"
> AuthType Basic
> AuthDBMUserFile "D:/Program Files/Apache/passwords.dat"
> require valid-user
></Directory>
>
>Obviously, "AuthBasicProvider" and "AuthDBMType" must reflect the
>correct values for your system (available types for "AuthDBMType" are:
>default|SDBM|GDBM|NDBM|DB). See
>http://httpd.apache.org/docs/2.0/mod/mod_auth_dbm.html and
>http://httpd.apache.org/docs/2.1/mod/mod_auth_basic.html for additional
>information.
>
>The above example functions as expected with Apache 2.2.6 on Windows 7
>x86. "passwords.dat" should be created with something like this:
>
>> D:\Program Files\apache\bin>htdbm -cs "D:\Program
>Files\Apache\passwords.dat" yourname
>
>Note also that, according to the mod_auth_basic manual page (cited
>above), setting "AuthBasicAuthoritative" to "Off" "... should only be
>necessary when combining mod_auth_basic with third-party modules that
>are not configured with the AuthBasicProvider directive."
>
>Thanks to everyone here for the assistance in getting this to work
>properly (under Windows, no less).
>---------------------------------------------------------------
>
>Happy to answer any questions! Good luck!
>
>-Ben
Well,
I cannot easily change the authentication method at all because the
"real" website uses CRYPT passwords and we also have a lot of software
in-house that updates these .htpasswd files with new user logins when
new customers are granted access to the protected parts of the site.
I have no idea how I could generate MD5 passwords in my software so I
am stuck with CRYPT (which I can create).
Note that if this is changed I need to do the same on all of the
protected folders on the real site...
What I wanted to do was use my own Win7 PC with a mirror image of the
website in such a way that I can test all aspects of the PHP scripts
before committing to the real world site.
So the mirror must be working the same way as the real site.
Seems like I must get a Linux box and install Apache there (it is
probably already installed out of the box) and then use that as a test
tool. But then I can't directly test the files as they are edited,
they have to be transferred over to the Linux server first, what a
hassle!
Sigh, have to think of another solution obviously.
--
Bo Berglund
Developer in Sweden
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Cannot get Apache 2 basic authentication working with CRYPT on Win7
Posted by Bo Berglund <bo...@gmail.com>.
On Tue, 30 Apr 2013 13:06:50 -0400, Jeff Trawick <tr...@gmail.com>
wrote:
>> > I cannot understand why they left that out of Apache when compiling
>> > for Windows....
>>
>> I'm sure there is a good reason. I have yet to see ASF do anything
>> without one.
>>
>
>no comment ;)
>
>
>>
>> Maybe someone else can articulate the rationale.
>>
>
>* Windows doesn't come with a crypt()-equivalent API. (Or didn't for a
>long time??????)
>* APR-Util doesn't support any third-party libraries for
>crypt()-equivalence on Windows.
>* Consumers of APR-Util like htpasswd don't think crypt()-equivalent is
>available on Windows and would need to use some different construct to
>detect availability of crypt()-equivalent passwords in APR-Util.
>* Somehow we made it this long without [m]any people caring.
>
>The work could be done, of course... Whether crypt()-ed passwords are
>important enough now to justify the effort from a volunteer as well as the
>work of the related projects to review and test the code is unclear...
>
The Pascal code (I program PC software in Delphi) I use to
create/decode CRYPT:ed hashes is about 600 lines including constant
definitions...
--
Bo Berglund
Developer in Sweden
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Cannot get Apache 2 basic authentication
working with CRYPT on Win7
Posted by Jeff Trawick <tr...@gmail.com>.
On Tue, Apr 30, 2013 at 12:33 PM, Ben Johnson <be...@indietorrent.org> wrote:
>
>
> On 4/30/2013 11:55 AM, Bo Berglund wrote:
> > On Tue, 30 Apr 2013 11:36:47 -0400, Ben Johnson <be...@indietorrent.org>
> > wrote:
> >
> >>> Well,
> >>> I cannot easily change the authentication method at all because the
> >>> "real" website uses CRYPT passwords and we also have a lot of software
> >>> in-house that updates these .htpasswd files with new user logins when
> >>> new customers are granted access to the protected parts of the site.
> >>
> >> Ah, I see. Yes, then the only short-term solution seems to be to resolve
> >> the issue with .htpasswd files on Windows.
> >
> > What I can do is to replace the .htpasswd file with for example
> > passwords in the .htaccess file and then put a few known test users
> > into that using the htpasswd command, which generates md5 hashes.
> > Then I can use the test site on my PC and the only thing I must not do
> > is commit the changed .htaccess file to CVS....
>
> Sounds good to me.
>
> >> Nonetheless, you might suggest migrating the "live" server to some form
> >> of database authentication in the future. It would be much simpler for
> >> your in-house software to maintain and update a single database table,
> >> rather than potentially hundreds of .htpassword and .htaccess files.
> >
> > I guess so, but then I first have to get comfortable using databases
> > on the website...
>
> Understood.
>
> >>> I have no idea how I could generate MD5 passwords in my software so I
> >>> am stuck with CRYPT (which I can create).
> >>> Note that if this is changed I need to do the same on all of the
> >>> protected folders on the real site...
> >>
> >> Generating MD5 passwords should be trivial in any environment. If you
> >> have a specific scripting language or similar, I'd be happy to provide
> >> examples. However, based on what you say above, changing from CRYPT to
> >> MD5 sounds like as much or more work as getting CRYPT to work on
> Windows.
> >
> > I could probably call the Apache htpasswd program from within my own
> > program and supply it with parameter -c to create a new file and then
> > I read that back. Like this:
> > htpasswd.exe -cb passwordfile username password
> >
> >>
> >> I wouldn't go that far. There has to be a way to make CRYPT work on
> >> Windows. I'll do some more research (and attempt to get this working on
> >> my own machine) and provide an update.
> >>
> >
> > The problem is getting Apache on Win7 to recognize CRYPT:ed passwords.
> > Creating them is no big deal, I already have software components for
> > that. But getting Apache to read them is....
>
> Ah, right. Well, it seems that I stand corrected: it does *not* seem to
> be possible to make Apache read crypted passwords on Windows:
>
> http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic
>
> CRYPT
> Unix only. Uses the traditional Unix crypt(3) function with a
> randomly-generated 32-bit salt (only 12 bits used) and the first 8
> characters of the password.
>
> > I cannot understand why they left that out of Apache when compiling
> > for Windows....
> >
> >
>
> I'm sure there is a good reason. I have yet to see ASF do anything
> without one.
>
no comment ;)
>
> Maybe someone else can articulate the rationale.
>
* Windows doesn't come with a crypt()-equivalent API. (Or didn't for a
long time??????)
* APR-Util doesn't support any third-party libraries for
crypt()-equivalence on Windows.
* Consumers of APR-Util like htpasswd don't think crypt()-equivalent is
available on Windows and would need to use some different construct to
detect availability of crypt()-equivalent passwords in APR-Util.
* Somehow we made it this long without [m]any people caring.
The work could be done, of course... Whether crypt()-ed passwords are
important enough now to justify the effort from a volunteer as well as the
work of the related projects to review and test the code is unclear...
>
> Bummer!
>
> -Ben
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
Re: [users@httpd] Re: Cannot get Apache 2 basic authentication working
with CRYPT on Win7
Posted by Ben Johnson <be...@indietorrent.org>.
On 4/30/2013 11:55 AM, Bo Berglund wrote:
> On Tue, 30 Apr 2013 11:36:47 -0400, Ben Johnson <be...@indietorrent.org>
> wrote:
>
>>> Well,
>>> I cannot easily change the authentication method at all because the
>>> "real" website uses CRYPT passwords and we also have a lot of software
>>> in-house that updates these .htpasswd files with new user logins when
>>> new customers are granted access to the protected parts of the site.
>>
>> Ah, I see. Yes, then the only short-term solution seems to be to resolve
>> the issue with .htpasswd files on Windows.
>
> What I can do is to replace the .htpasswd file with for example
> passwords in the .htaccess file and then put a few known test users
> into that using the htpasswd command, which generates md5 hashes.
> Then I can use the test site on my PC and the only thing I must not do
> is commit the changed .htaccess file to CVS....
Sounds good to me.
>> Nonetheless, you might suggest migrating the "live" server to some form
>> of database authentication in the future. It would be much simpler for
>> your in-house software to maintain and update a single database table,
>> rather than potentially hundreds of .htpassword and .htaccess files.
>
> I guess so, but then I first have to get comfortable using databases
> on the website...
Understood.
>>> I have no idea how I could generate MD5 passwords in my software so I
>>> am stuck with CRYPT (which I can create).
>>> Note that if this is changed I need to do the same on all of the
>>> protected folders on the real site...
>>
>> Generating MD5 passwords should be trivial in any environment. If you
>> have a specific scripting language or similar, I'd be happy to provide
>> examples. However, based on what you say above, changing from CRYPT to
>> MD5 sounds like as much or more work as getting CRYPT to work on Windows.
>
> I could probably call the Apache htpasswd program from within my own
> program and supply it with parameter -c to create a new file and then
> I read that back. Like this:
> htpasswd.exe -cb passwordfile username password
>
>>
>> I wouldn't go that far. There has to be a way to make CRYPT work on
>> Windows. I'll do some more research (and attempt to get this working on
>> my own machine) and provide an update.
>>
>
> The problem is getting Apache on Win7 to recognize CRYPT:ed passwords.
> Creating them is no big deal, I already have software components for
> that. But getting Apache to read them is....
Ah, right. Well, it seems that I stand corrected: it does *not* seem to
be possible to make Apache read crypted passwords on Windows:
http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic
CRYPT
Unix only. Uses the traditional Unix crypt(3) function with a
randomly-generated 32-bit salt (only 12 bits used) and the first 8
characters of the password.
> I cannot understand why they left that out of Apache when compiling
> for Windows....
>
>
I'm sure there is a good reason. I have yet to see ASF do anything
without one.
Maybe someone else can articulate the rationale.
Bummer!
-Ben
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Cannot get Apache 2 basic authentication working with CRYPT on Win7
Posted by Bo Berglund <bo...@gmail.com>.
On Tue, 30 Apr 2013 11:36:47 -0400, Ben Johnson <be...@indietorrent.org>
wrote:
>> Well,
>> I cannot easily change the authentication method at all because the
>> "real" website uses CRYPT passwords and we also have a lot of software
>> in-house that updates these .htpasswd files with new user logins when
>> new customers are granted access to the protected parts of the site.
>
>Ah, I see. Yes, then the only short-term solution seems to be to resolve
>the issue with .htpasswd files on Windows.
What I can do is to replace the .htpasswd file with for example
passwords in the .htaccess file and then put a few known test users
into that using the htpasswd command, which generates md5 hashes.
Then I can use the test site on my PC and the only thing I must not do
is commit the changed .htaccess file to CVS....
>Nonetheless, you might suggest migrating the "live" server to some form
>of database authentication in the future. It would be much simpler for
>your in-house software to maintain and update a single database table,
>rather than potentially hundreds of .htpassword and .htaccess files.
I guess so, but then I first have to get comfortable using databases
on the website...
>> I have no idea how I could generate MD5 passwords in my software so I
>> am stuck with CRYPT (which I can create).
>> Note that if this is changed I need to do the same on all of the
>> protected folders on the real site...
>
>Generating MD5 passwords should be trivial in any environment. If you
>have a specific scripting language or similar, I'd be happy to provide
>examples. However, based on what you say above, changing from CRYPT to
>MD5 sounds like as much or more work as getting CRYPT to work on Windows.
I could probably call the Apache htpasswd program from within my own
program and supply it with parameter -c to create a new file and then
I read that back. Like this:
htpasswd.exe -cb passwordfile username password
>
>I wouldn't go that far. There has to be a way to make CRYPT work on
>Windows. I'll do some more research (and attempt to get this working on
>my own machine) and provide an update.
>
The problem is getting Apache on Win7 to recognize CRYPT:ed passwords.
Creating them is no big deal, I already have software components for
that. But getting Apache to read them is....
I cannot understand why they left that out of Apache when compiling
for Windows....
--
Bo Berglund
Developer in Sweden
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Cannot get Apache 2 basic authentication working
with CRYPT on Win7
Posted by Ben Johnson <be...@indietorrent.org>.
On 4/30/2013 11:12 AM, Bo Berglund wrote:
> On Tue, 30 Apr 2013 10:31:07 -0400, Ben Johnson <be...@indietorrent.org>
> wrote:
>
>>
>>
>> On 4/30/2013 9:06 AM, Bo Berglund wrote:
>>> I have a local Apache 2.2 server on my development PC. It is running
>>> on Windows7X64.
>>> Some of our folders are protected and we use .htpasswd files to
>>> authenticate the users with CRYPT-ed passwords.
>>> THe whole website is version controlled in CVS and I work on a checked
>>> out copy of the website.
>>>
>>> Now I need to develop some PHP scripts and these need to know which
>>> user is logged on so for debugging I must get the authentication
>>> going.
>>> But so far I have been out of luck using the file with CRYPT:ed
>>> passwords.
>>>
>>> I discovered:
>>> If I use the htpasswd command to create a password on the Win7 box it
>>> seems to totally disregard the command line switch to make a CRYPT
>>> password, instead it always forces use of MD5.
>>>
>>> On the real server (at Network Solutions) the normal .htpasswd file
>>> works just fine.
>>>
>>> How can I make Apache2.2 on Win7X64 use the existing passwords so I
>>> can continue developing the PHP scripts?
>>>
>>>
>>
>> Hi, Bo,
>>
>> While I can't identify the cause of your issue readily, I can suggest a
>> fine alternative: use database authentication instead.
>>
>> Here's an excerpt from a blog comment that I wrote some time ago; it
>> should steer you in the right direction if you are open to my suggestion.
>>
>> From:
>> http://www.pitr.net/index.php/2007/08/08/internal-error-pcfg_openfile-called-with-null-filename/
>> ---------------------------------------------------------------
>> [...] Windows users do not have the ability to specify "AuthUserFile
>> /dev/null". Furthermore, that is an undesirable solution (as others have
>> noted). This is the appropriate method, provided as a complete example:
>>
>> <Directory />
>> Options FollowSymLinks
>> AllowOverride None
>> Order deny,allow
>> Deny from all
>> Satisfy all
>> AuthBasicProvider dbm
>> AuthDBMType SDBM
>> AuthName "Protected Area"
>> AuthType Basic
>> AuthDBMUserFile "D:/Program Files/Apache/passwords.dat"
>> require valid-user
>> </Directory>
>>
>> Obviously, "AuthBasicProvider" and "AuthDBMType" must reflect the
>> correct values for your system (available types for "AuthDBMType" are:
>> default|SDBM|GDBM|NDBM|DB). See
>> http://httpd.apache.org/docs/2.0/mod/mod_auth_dbm.html and
>> http://httpd.apache.org/docs/2.1/mod/mod_auth_basic.html for additional
>> information.
>>
>> The above example functions as expected with Apache 2.2.6 on Windows 7
>> x86. "passwords.dat" should be created with something like this:
>>
>>> D:\Program Files\apache\bin>htdbm -cs "D:\Program
>> Files\Apache\passwords.dat" yourname
>>
>> Note also that, according to the mod_auth_basic manual page (cited
>> above), setting "AuthBasicAuthoritative" to "Off" "... should only be
>> necessary when combining mod_auth_basic with third-party modules that
>> are not configured with the AuthBasicProvider directive."
>>
>> Thanks to everyone here for the assistance in getting this to work
>> properly (under Windows, no less).
>> ---------------------------------------------------------------
>>
>> Happy to answer any questions! Good luck!
>>
>> -Ben
>
> Well,
> I cannot easily change the authentication method at all because the
> "real" website uses CRYPT passwords and we also have a lot of software
> in-house that updates these .htpasswd files with new user logins when
> new customers are granted access to the protected parts of the site.
Ah, I see. Yes, then the only short-term solution seems to be to resolve
the issue with .htpasswd files on Windows.
Nonetheless, you might suggest migrating the "live" server to some form
of database authentication in the future. It would be much simpler for
your in-house software to maintain and update a single database table,
rather than potentially hundreds of .htpassword and .htaccess files.
> I have no idea how I could generate MD5 passwords in my software so I
> am stuck with CRYPT (which I can create).
> Note that if this is changed I need to do the same on all of the
> protected folders on the real site...
Generating MD5 passwords should be trivial in any environment. If you
have a specific scripting language or similar, I'd be happy to provide
examples. However, based on what you say above, changing from CRYPT to
MD5 sounds like as much or more work as getting CRYPT to work on Windows.
> What I wanted to do was use my own Win7 PC with a mirror image of the
> website in such a way that I can test all aspects of the PHP scripts
> before committing to the real world site.
> So the mirror must be working the same way as the real site.
This is perfectly reasonable.
> Seems like I must get a Linux box and install Apache there (it is
> probably already installed out of the box) and then use that as a test
> tool. But then I can't directly test the files as they are edited,
> they have to be transferred over to the Linux server first, what a
> hassle!
> Sigh, have to think of another solution obviously.
>
I wouldn't go that far. There has to be a way to make CRYPT work on
Windows. I'll do some more research (and attempt to get this working on
my own machine) and provide an update.
Also, I am able to corroborate the behavior you describe:
C:\Program Files\apache\bin>htpasswd -dc "C:\Program
Files\Apache\passwords-test.dat" yourname
Automatically using MD5 format.
New password: ******
Re-type new password: ******
Adding password for user yourname
More soon,
-Ben
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org