You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by no...@apache.org on 2007/08/19 20:18:18 UTC
svn commit: r567450 - in /httpd/httpd/trunk/docs/manual/misc:
password_encryptions.html password_encryptions.html.en
password_encryptions.xml password_encryptions.xml.meta
Author: noodl
Date: Sun Aug 19 11:18:17 2007
New Revision: 567450
URL: http://svn.apache.org/viewvc?view=rev&rev=567450
Log:
Description of password formats copied from Tom Donovan's work on the wiki
Added:
httpd/httpd/trunk/docs/manual/misc/password_encryptions.html
httpd/httpd/trunk/docs/manual/misc/password_encryptions.html.en
httpd/httpd/trunk/docs/manual/misc/password_encryptions.xml
httpd/httpd/trunk/docs/manual/misc/password_encryptions.xml.meta
Added: httpd/httpd/trunk/docs/manual/misc/password_encryptions.html
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/misc/password_encryptions.html?view=auto&rev=567450
==============================================================================
--- httpd/httpd/trunk/docs/manual/misc/password_encryptions.html (added)
+++ httpd/httpd/trunk/docs/manual/misc/password_encryptions.html Sun Aug 19 11:18:17 2007
@@ -0,0 +1,3 @@
+URI: password_encryptions.html.en
+Content-Language: en
+Content-type: text/html; charset=ISO-8859-1
Added: httpd/httpd/trunk/docs/manual/misc/password_encryptions.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/misc/password_encryptions.html.en?view=auto&rev=567450
==============================================================================
--- httpd/httpd/trunk/docs/manual/misc/password_encryptions.html.en (added)
+++ httpd/httpd/trunk/docs/manual/misc/password_encryptions.html.en Sun Aug 19 11:18:17 2007
@@ -0,0 +1,208 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ This file is generated from xml source: DO NOT EDIT
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ -->
+<title>Password Formats - Apache HTTP Server</title>
+<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
+<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
+<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
+<link href="../images/favicon.ico" rel="shortcut icon" /></head>
+<body id="manual-page"><div id="page-header">
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
+<p class="apache">Apache HTTP Server Version 2.3</p>
+<img alt="" src="../images/feather.gif" /></div>
+<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
+<div id="path">
+<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.3</a> > <a href="./">Miscellaneous Documentation</a></div><div id="page-content"><div id="preamble"><h1>Password Formats</h1>
+<div class="toplang">
+<p><span>Available Languages: </span><a href="../en/misc/password_encryptions.html" title="English"> en </a></p>
+</div>
+
+ <p>Notes about the password encryption formats generated and understood by
+ Apache.</p>
+ </div>
+<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#basic">Basic Authentication</a></li>
+<li><img alt="" src="../images/down.gif" /> Digest Authentication</li>
+</ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="basic" id="basic">Basic Authentication</a></h2>
+
+ <p>There are four formats that Apache recognizes for basic-authentication
+ passwords. Note that not all formats work on every platform:</p>
+
+ <dl>
+ <dt>PLAIN TEXT (i.e. <em>unencrypted</em>)</dt>
+ <dd>Windows, BEOS, & Netware only.</dd>
+
+ <dt>CRYPT</dt>
+ <dd>Unix only. Calls the Unix crypt(3) function with a randomly-generated
+ 32-bit salt and the password.</dd>
+
+ <dt>SHA1</dt>
+ <dd>"{SHA}" + Base64-encoded SHA-1 digest of the password.</dd>
+
+ <dt>MD5</dt>
+ <dd>"$apr1$" + the result of an Apache-specific algorithm using an
+ iterated (1,000 times) MD5 digest of various combinations of a
+ randomly-generated 32-bit salt and the password. See the APR source file
+ <a href="http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup">apr_md5.c</a>
+ for the details of the algorithm.</dd>
+ </dl>
+
+ <h3>Generating values with htpasswd</h3>
+
+ <div class="example"><h3>MD5</h3><p><code>
+ $ htpasswd -nbm myName myPassword<br />
+ myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
+ </code></p></div>
+
+ <div class="example"><h3>SHA1</h3><p><code>
+ $ htpasswd -nbs myName myPassword<br />
+ myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=
+ </code></p></div>
+
+ <div class="example"><h3>CRYPT</h3><p><code>
+ $ htpasswd -nbd myName myPassword<br />
+ myName:rqXexS6ZhobKA
+ </code></p></div>
+
+
+
+ <h3>Generating CRYPT and MD5 values with the OpenSSL
+ command-line program</h3>
+
+
+ <p>OpenSSL knows the Apache-specific MD5 algorithm.</p>
+
+ <div class="example"><h3>MD5</h3><p><code>
+ $ openssl passwd -apr1 myPassword<br />
+ $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
+ </code></p></div>
+
+ <div class="example"><h3>CRYPT</h3><p><code>
+ openssl passwd -crypt myPassword<br />
+ qQ5vTYO3c8dsU
+ </code></p></div>
+
+
+ <h3>Validating CRYPT or MD5 passwords with the OpenSSL command
+ line program</h3>
+
+ <p>The salt for a CRYPT password is the first two characters (as a
+ Base64-encoded binary value). To validate <code>myPassword</code> against
+ <code>rqXexS6ZhobKA</code></p>
+
+ <div class="example"><h3>CRYPT</h3><p><code>
+ $ openssl passwd -crypt -salt rq myPassword<br />
+ Warning: truncating password to 8 characters<br />
+ rqXexS6ZhobKA
+ </code></p></div>
+
+ <p>Note that using <code>myPasswo</code> instead of
+ <code>myPassword</code> will produce the same result because only the
+ first 8 characters of CRYPT passwords are considered.</p>
+
+ <p>The salt for an MD5 password is between <code>$apr1$</code> and the
+ following <code>$</code> (as a Base64-encoded binary value - max 8 chars)
+ To validate <code>myPassword</code> against
+ <code>$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/</code></p>
+
+ <div class="example"><h3>MD5</h3><p><code>
+ $ openssl passwd -apr1 -salt r31..... myPassword<br />
+ $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
+ </code></p></div>
+
+
+ <h3>Database password fields for mod_dbd</h3>
+ <p>The SHA1 variant is probably the most useful format for DBD
+ authentication. Since the SHA1-hash and Base64-encoding functions are
+ commonly available, other software can populate a database with encrypted
+ passwords which are usable by Apache basic authentication.</p>
+
+ <p>To create Apache SHA1-variant basic-authentication passwords in various
+ languages:</p>
+
+ <div class="example"><h3>PHP</h3><p><code>
+ '{SHA}' . base64_encode(sha1($password, TRUE))
+ </code></p></div>
+
+ <div class="example"><h3>Java</h3><p><code>
+ "{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes()))
+ </code></p></div>
+
+ <div class="example"><h3>ColdFusion</h3><p><code>
+ "{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex"))
+ </code></p></div>
+
+ <div class="example"><h3>Ruby</h3><p><code>
+ require 'digest/sha1'<br />
+ require 'base64'<br />
+ '{SHA}' + Base64.encode64(Digest::SHA1.digest(password))
+ </code></p></div>
+
+ <div class="example"><h3>C or C++</h3><p><code>
+ Use the APR function: apr_sha1_base64
+ </code></p></div>
+
+ <div class="example"><h3>PostgreSQL (with the contrib/pgcrypto functions
+ installed)</h3><p><code>
+
+ '{SHA}'||encode(digest(password,'sha1'),'base64')
+ </code></p></div>
+
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2>Digest Authentication</h2>
+ <p>There is only one format which Apache recognizes for
+ digest-authentication passwords. This format is the MD5 hash of the string
+ <code>user:realm:password</code> as a 32-character string of hexadecimal
+ digits. <code>realm</code> is the Authorization Realm argument to the
+ <code class="directive"><a href="../mod/mod_authn_core.html#authname">AuthName</a></code> directive in
+ httpd.conf.</p>
+
+ <h3>Database password fields for mod_dbd</h3>
+
+ <p>Since the MD5-hash function is commonly available, other software can
+ populate a database with encrypted passwords which are usable by Apache
+ digest authentication.</p>
+
+ <p>To create Apache digest-authentication passwords in various
+ languages:</p>
+
+ <div class="example"><h3>PHP</h3><p><code>
+ md5($user . ':' . $realm . ':' .$password)
+ </code></p></div>
+
+ <div class="example"><h3>Java</h3><p><code>
+ byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());<br />
+ java.math.BigInteger bi = new java.math.BigInteger(b);<br />
+ String s = bi.toString(16);<br />
+ if (s.length() % 2 != 0)<br />
+ <span class="indent">
+ s = "0" + s;
+ </span>
+ // String s is the digest hash
+ </code></p></div>
+
+ <div class="example"><h3>ColdFusion</h3><p><code>
+ LCase(Hash( (user & ":" & realm & ":" & password) , "MD5"))
+ </code></p></div>
+
+ <div class="example"><h3>Ruby</h3><p><code>
+ require 'digest/md5'<br />
+ Digest::MD5.hexdigest(user + ':' + realm + ':' + password)
+ </code></p></div>
+
+
+ </div></div>
+<div class="bottomlang">
+<p><span>Available Languages: </span><a href="../en/misc/password_encryptions.html" title="English"> en </a></p>
+</div><div id="footer">
+<p class="apache">Copyright 2006 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
+</body></html>
\ No newline at end of file
Added: httpd/httpd/trunk/docs/manual/misc/password_encryptions.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/misc/password_encryptions.xml?view=auto&rev=567450
==============================================================================
--- httpd/httpd/trunk/docs/manual/misc/password_encryptions.xml (added)
+++ httpd/httpd/trunk/docs/manual/misc/password_encryptions.xml Sun Aug 19 11:18:17 2007
@@ -0,0 +1,205 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<!-- $LastChangedRevision: $ -->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manualpage metafile="password_encryptions.xml.meta">
+ <parentdocument href="./">Miscellaneous Documentation</parentdocument>
+
+ <title>Password Formats</title>
+
+ <summary>
+ <p>Notes about the password encryption formats generated and understood by
+ Apache.</p>
+ </summary>
+
+ <section id="basic"><title>Basic Authentication</title>
+
+ <p>There are four formats that Apache recognizes for basic-authentication
+ passwords. Note that not all formats work on every platform:</p>
+
+ <dl>
+ <dt>PLAIN TEXT (i.e. <em>unencrypted</em>)</dt>
+ <dd>Windows, BEOS, & Netware only.</dd>
+
+ <dt>CRYPT</dt>
+ <dd>Unix only. Calls the Unix crypt(3) function with a randomly-generated
+ 32-bit salt and the password.</dd>
+
+ <dt>SHA1</dt>
+ <dd>"{SHA}" + Base64-encoded SHA-1 digest of the password.</dd>
+
+ <dt>MD5</dt>
+ <dd>"$apr1$" + the result of an Apache-specific algorithm using an
+ iterated (1,000 times) MD5 digest of various combinations of a
+ randomly-generated 32-bit salt and the password. See the APR source file
+ <a href="http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup">apr_md5.c</a>
+ for the details of the algorithm.</dd>
+ </dl>
+
+ <section><title>Generating values with htpasswd</title>
+
+ <example><title>MD5</title>
+ $ htpasswd -nbm myName myPassword<br />
+ myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
+ </example>
+
+ <example><title>SHA1</title>
+ $ htpasswd -nbs myName myPassword<br />
+ myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=
+ </example>
+
+ <example><title>CRYPT</title>
+ $ htpasswd -nbd myName myPassword<br />
+ myName:rqXexS6ZhobKA
+ </example>
+
+ </section>
+
+ <section>
+ <title>Generating CRYPT and MD5 values with the OpenSSL
+ command-line program</title>
+
+ <p>OpenSSL knows the Apache-specific MD5 algorithm.</p>
+
+ <example><title>MD5</title>
+ $ openssl passwd -apr1 myPassword<br />
+ $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
+ </example>
+
+ <example><title>CRYPT</title>
+ openssl passwd -crypt myPassword<br />
+ qQ5vTYO3c8dsU
+ </example>
+ </section>
+
+ <section>
+ <title>Validating CRYPT or MD5 passwords with the OpenSSL command
+ line program</title>
+ <p>The salt for a CRYPT password is the first two characters (as a
+ Base64-encoded binary value). To validate <code>myPassword</code> against
+ <code>rqXexS6ZhobKA</code></p>
+
+ <example><title>CRYPT</title>
+ $ openssl passwd -crypt -salt rq myPassword<br />
+ Warning: truncating password to 8 characters<br />
+ rqXexS6ZhobKA
+ </example>
+
+ <p>Note that using <code>myPasswo</code> instead of
+ <code>myPassword</code> will produce the same result because only the
+ first 8 characters of CRYPT passwords are considered.</p>
+
+ <p>The salt for an MD5 password is between <code>$apr1$</code> and the
+ following <code>$</code> (as a Base64-encoded binary value - max 8 chars)
+ To validate <code>myPassword</code> against
+ <code>$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/</code></p>
+
+ <example><title>MD5</title>
+ $ openssl passwd -apr1 -salt r31..... myPassword<br />
+ $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
+ </example>
+ </section>
+
+ <section><title>Database password fields for mod_dbd</title>
+ <p>The SHA1 variant is probably the most useful format for DBD
+ authentication. Since the SHA1-hash and Base64-encoding functions are
+ commonly available, other software can populate a database with encrypted
+ passwords that are usable by Apache basic authentication.</p>
+
+ <p>To create Apache SHA1-variant basic-authentication passwords in various
+ languages:</p>
+
+ <example><title>PHP</title>
+ '{SHA}' . base64_encode(sha1($password, TRUE))
+ </example>
+
+ <example><title>Java</title>
+ "{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes()))
+ </example>
+
+ <example><title>ColdFusion</title>
+ "{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex"))
+ </example>
+
+ <example><title>Ruby</title>
+ require 'digest/sha1'<br />
+ require 'base64'<br />
+ '{SHA}' + Base64.encode64(Digest::SHA1.digest(password))
+ </example>
+
+ <example><title>C or C++</title>
+ Use the APR function: apr_sha1_base64
+ </example>
+
+ <example>
+ <title>PostgreSQL (with the contrib/pgcrypto functions
+ installed)</title>
+ '{SHA}'||encode(digest(password,'sha1'),'base64')
+ </example>
+ </section>
+
+ </section>
+
+ <section><title>Digest Authentication</title>
+ <p>There is only one format that Apache recognizes for
+ digest-authentication passwords. This format is the MD5 hash of the string
+ <code>user:realm:password</code> as a 32-character string of hexadecimal
+ digits. <code>realm</code> is the Authorization Realm argument to the
+ <directive module="mod_authn_core">AuthName</directive> directive in
+ httpd.conf.</p>
+
+ <section><title>Database password fields for mod_dbd</title>
+
+ <p>Since the MD5-hash function is commonly available, other software can
+ populate a database with encrypted passwords that are usable by Apache
+ digest authentication.</p>
+
+ <p>To create Apache digest-authentication passwords in various
+ languages:</p>
+
+ <example><title>PHP</title>
+ md5($user . ':' . $realm . ':' .$password)
+ </example>
+
+ <example><title>Java</title>
+ byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());<br />
+ java.math.BigInteger bi = new java.math.BigInteger(b);<br />
+ String s = bi.toString(16);<br />
+ if (s.length() % 2 != 0)<br />
+ <indent>
+ s = "0" + s;
+ </indent>
+ // String s is the digest hash
+ </example>
+
+ <example><title>ColdFusion</title>
+ LCase(Hash( (user & ":" & realm & ":" & password) , "MD5"))
+ </example>
+
+ <example><title>Ruby</title>
+ require 'digest/md5'<br />
+ Digest::MD5.hexdigest(user + ':' + realm + ':' + password)
+ </example>
+
+ </section>
+ </section>
+
+</manualpage>
\ No newline at end of file
Added: httpd/httpd/trunk/docs/manual/misc/password_encryptions.xml.meta
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/misc/password_encryptions.xml.meta?view=auto&rev=567450
==============================================================================
--- httpd/httpd/trunk/docs/manual/misc/password_encryptions.xml.meta (added)
+++ httpd/httpd/trunk/docs/manual/misc/password_encryptions.xml.meta Sun Aug 19 11:18:17 2007
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+
+<metafile>
+ <basename>password_encryptions</basename>
+ <path>/misc/</path>
+ <relpath>..</relpath>
+
+ <variants>
+ <variant>en</variant>
+ </variants>
+</metafile>