You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Milind Sawant <mi...@skandiabank.ch> on 2002/04/16 20:51:49 UTC
RE: basic authentication in apache 1.3.19 ignoring more than 8characters in the password.
I am using apache1.3.19 on sun solaris 2.7.
I am seeing some funny behaviour.
i use
$./htpasswd -cm passwordfile username
to create a MD5 encrypted password of more than 8 characters.
and corresspondingly configure Basic authentication.
Now on authentication when i supply this password , it throws error
"password mismatch" in the apache error logs.
But if i supply only the first 8 characters i can log in.
Any one has any inputs on what may be causing this funny behaviour.
thanks
Milind Sawant
Web Administrator (Apollo)
TCS
+0041 1 288 4675
-----Original Message-----
From: Pete Nelson [mailto:pete.nelson@ci.stpaul.mn.us]
Sent: 16 April 2002 16:26
To: users@httpd.apache.org
Subject: RE: basic authentication in apache 1.3.19 ignoring more than
8characters in the password.
Owen's absolutely right - sorry I didn't see this. With crypt, it all
characters beyond the first 8 are meaningless. However, with MD5 (the
-m) option, my 19 character password was preserved. I didn't have any
password mismatch error, but I did have to shut down my browser before
attempting to reconnect (so it no longer recognized the realm). I also
restarted my web server between tests.
After restarting my browser, I tried logging in with 'thisisal' and
'thisisalargepassword', and I was re-prompted for the password. When I
entered 'thisisalongpassword', it worked.
Note that these last tests were just on Apache 1.3.22/RedHat 6.2.
(Apache 1.3.24/Win2k forces MD5, unless you specify SHA (-s) - there is
no crypt on Win32).
--
Pete Nelson, Web Developer
<pe...@ci.stpaul.mn.us>
http://www.ci.stpaul.mn.us/
>>> milind.sawant@skandiabank.ch 04/16/02 09:04AM >>>
Hi
thanks for your concern
The Basic Authentication in apache uses the htpasswd utility to
generate
passwords.
A) The default option is -d ( Force CRYPT encryption of the password )
.
you can create a password of more that 8 characters.
But only the first 8 characters are relevant.
as owen boyle has righly pointed out , if "xxxxxxxxYBDCDC" is
your password
and on authentication
if you supply "xxxxxxxxADBDD" as the password , you can log in.
B) Using other options like -m (MD5 encryption ) and -s (SHA encyption)
dont
work.
i can generate the password but get a password mismatch error
on
authentication.
Do you have the same experience?
Milind
Milind Sawant
Web Administrator (Apollo)
TCS
+0041 1 288 4675
-----Original Message-----
From: obo@bourse.ch [mailto:obo@bourse.ch]
Sent: 16 April 2002 15:28
To: users@httpd.apache.org
Subject: Re: basic authentication in apache 1.3.19 ignoring more than
8characters in the password.
Pete Nelson wrote:
>
> I just tested this on Apache 1.3.22 on RedHat 6.2 and Apache 1.3.24
on
> Win2k, and both happily took a 19-character password
> (thisisalongpassword). I am pretty confident that it should also
work
> on Apache 1.3.19 on most platforms.
Did you test whether all the characters were significant? AFAIK,
apache
uses the system passwd utility which is sensitive only to the first 8
chars. You can put in more if you like but they are not significant.
In
other words, "thisisalongpassword" and "thisisalxxxxxxxxx" are the
same.
Rgds,
Owen Boyle.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org