You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Phil Endecott <sp...@chezphil.org> on 2007/08/18 16:33:39 UTC
[users@httpd] authn_dbd: what format for encrypted password?
Dear Experts,
I'm setting up mod_authn_dbd for the first time (having previously used
the 3rd-party mod_auth_pgsql with apache2.0) and I'm unsure how the
passwords should be encoded in the database. The docs at
http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html just say:
"The query must take a single string (typically SQL varchar) argument (username),
and return a single value (encrypted password)."
Do I have a choice of encryption formats? How do I tell it which
format I have used? (Is there some more documentation somewhere that I
have missed?)
Many thanks for any advice you can offer.
Regards,
Phil.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authn_dbd: what format for encrypted password?
Posted by Vincent Bray <no...@gmail.com>.
On 18/08/07, Joshua Slive <jo...@slive.ca> wrote:
> On 8/18/07, Tom Donovan <do...@bellatlantic.net> wrote:
>
> > There are four formats that Apache recognizes for passwords.
> > Note that not all four work on every platform:
>
> Nice summary!
>
> How about making a page on wiki.apache.org/httpd/ for that?
>
> Joshua.
Agreed with Joshua, I had no idea there was an apache specific md5
algorithm. Some docs, please!
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authn_dbd: what format for encrypted password?
Posted by Vincent Bray <no...@gmail.com>.
On 19/08/07, Tom Donovan <do...@bellatlantic.net> wrote:
> Joshua Slive wrote:
> > How about making a page on wiki.apache.org/httpd/ for that?
>
> Done! http://wiki.apache.org/httpd/Encrypted_Passwords
Moved! http://wiki.apache.org/httpd/EncryptedPasswords
Sorry for the pedantry but we only recently went through the whole
site renaming everything with this format. Otherwise it's good stuff
and can probably be translated for the main docs as-is.
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authn_dbd: what format for encrypted password?
Posted by Tom Donovan <do...@bellatlantic.net>.
Joshua Slive wrote:
> How about making a page on wiki.apache.org/httpd/ for that?
Done! http://wiki.apache.org/httpd/Encrypted_Passwords
-tom-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authn_dbd: what format for encrypted password?
Posted by Joshua Slive <jo...@slive.ca>.
On 8/18/07, Tom Donovan <do...@bellatlantic.net> wrote:
> There are four formats that Apache recognizes for passwords.
> Note that not all four work on every platform:
Nice summary!
How about making a page on wiki.apache.org/httpd/ for that?
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authn_dbd: what format for encrypted password?
Posted by Tom Donovan <do...@bellatlantic.net>.
Phil Endecott wrote:
> Dear Experts,
>
> I'm setting up mod_authn_dbd for the first time (having previously used
> the 3rd-party mod_auth_pgsql with apache2.0) and I'm unsure how the
> passwords should be encoded in the database. The docs at
> http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html just say:
>
> "The query must take a single string (typically SQL varchar) argument
> (username),
> and return a single value (encrypted password)."
>
> Do I have a choice of encryption formats? How do I tell it which format
> I have used? (Is there some more documentation somewhere that I have
> missed?)
There are four formats that Apache recognizes for passwords.
Note that not all four work on every platform:
1. PLAIN TEXT (i.e. unencrypted) passwords:
Windows, BEOS, & Netware only.
2. CRYPT passwords:
Unix only.
Calls the Unix crypt(3) function with a
randomly-generated 32-bit salt and the password
3. SHA1 passwords:
"{SHA}" + Base64-encoded SHA-1 digest of the password
4. MD5 passwords:
"$apr1$" + the result of an Apache-specific algorithm
using an iterated (1,000 times) MD5 digest of various
combinations of a randomly-generated 32-bit salt
and the password. See source file apr-util/crypto/apr_md5.c
for the details of the algorithm.
The htpasswd program can be used to generate values:
MD5
htpasswd -nbm myName myPassword
myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
SHA1
htpasswd -nbs myName myPassword
myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=
CRYPT
htpasswd -nbd myName myPassword
myName:rqXexS6ZhobKA
openssl can also be used to generate CRYPT and MD5 values
(openssl knows the Apache-specific algorithm). For example:
MD5
openssl passwd -apr1 myPassword
$apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
CRYPT
openssl passwd -crypt myPassword
qQ5vTYO3c8dsU
The SHA1 variant is probably the most useful for DBD authentication.
Since the SHA1-hash and Base64-encoding functions are commonly
available, other software can populate a database with encrypted
passwords which are usable by Apache.
-tom-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] authn_dbd: what format for encrypted password? [dbd now broken]
Posted by Phil Endecott <sp...@chezphil.org>.
Dear All,
I'm trying to set up auth with postgresql...
Laurent FAILLIE wrote:
> My only advice is to not use it as it doesn't work :-(
Yesterday I thought it was working, but since then it has fallen apart
and I'm wondering if Laurent might be right after all...
Yesterday I was running 2.2.3 (Debian package). It was working. This
evening I upgraded to 2.2.4 (still Debian). (Why? "If it ain't broken,
don't fix it." I should remember that, but it's too late now.)
Although the rest of the system still works, pgsql auth has failed.
My configuration currently looks like this (slightly edited):
<VirtualHost x.y.z.z:443>
ServerName xxxxx
DBDriver pgsql
DBDParams "dbname=xxxx user=xxxx"
DBDExptime 100
DBDKeep 1
DBDMax 5
DBDMin 1
DBDpersist on
# Note docs say 0|1 for persist, but it actually wants on|off
DocumentRoot /var/www/xxxx
<Directory /var/www/xxxx>
Options FollowSymLinks MultiViews +ExecCGI +Includes
AllowOverride All
AddHandler cgi-script cgi
DirectoryIndex index
Order allow,deny
allow from all
AddOutputFilterByType DEFLATE text/html text/plain
text/css text/javascript
AuthName "xxxx"
AuthType basic
AuthPAM_Enabled off
AuthBasicProvider dbd
AuthDBDUserPWQuery "select
'{SHA}'||encode(digest(decode(password_b64,'base64'),'sha1'),'base64')
from users where username=$1 and enabled"
require valid-user
</Directory>
SSLEngine on
SSLCertificateFile xxxx
ErrorLog /var/log/apache2/xxxxx/error.log
LogLevel warn
CustomLog /var/log/apache2/xxxx/access.log combined
ServerSignature On
</VirtualHost>
Yesterday I had "DBDpersist off", and no exptime, keep, min or max
parameters. I tried that at first with 2.2.4, with the following symptoms:
In the error log:
[Mon Aug 20 23:52:14 2007] [error] [client 86.6.8.194] No DBD Authn configured!
In the postgresql log, I see a connection, authorisation and immediate
disconnection, without any query being executed:
2007-08-20 23:52:30 BST LOG: connection received: host=[local]
2007-08-20 23:52:30 BST LOG: connection authorized: user=xxxx database=xxxx
2007-08-20 23:52:30 BST LOG: disconnection: session time: 0:00:00.040
user=xxxx database=xxxx host=[local]
I then tried the "persist on" settings shown above. This fails in a
different way. Nothing else in this configuration has changed since it
was working yesterday with 2.2.3, and the postgresql configuration has
not changed.
With "persist on", the symptom is that I see this in the error log:
[Mon Aug 20 23:12:29 2007] [error] [client 86.6.8.194] Error looking up
phil in database
In the postgresql log, I see *nothing at all*. This log records
something even if I just telnet to the right port number, which makes
me think that Apache isn't attempting to connect at all. I have tried
to debug with strace, and although it's hard to see what is going on I
can't see any attempts to open a database connection. lsof -i and lsof
-U don't appear to show any connection either.
So: Can anyone see anything obviously wrong with the configuration
shown above? I'm aware that there may be some known issues with this
stuff, but are there any known *regressions* from 2.2.3 to 2.2.4? Was
I just lucky before? How can I debug further? Is there a way to get
verbose debug out of mod_dbd? (I have tried "loglevel debug" but that
doesn't add anything.)
Many thanks for any advice.
Phil.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RE : [users@httpd] authn_dbd: what format for
encrypted password?
Posted by Tom Donovan <do...@bellatlantic.net>.
Laurent FAILLIE wrote:
> --- Phil Endecott
>> Many thanks for any advice you can offer.
>
> Hi Phil,
>
> My only advice is to not use it as it doesn't work :-(
> Stock 2.2.4's dbd is buggy and even with an updated
> mod_dbd.c it randomly fails (see bug 42732 /
> http://issues.apache.org/bugzilla/show_bug.cgi?id=42732).
>
I disagree. I use mod_dbd with Apache 2.2.4 on both Windows & Linux
with success. I don't use it with PostgreSQL in production (although I
have tested with PostgreSQL and found no problems).
I have not experienced random failures (...so far...)
I always apply the patch from comment #22 in bug 39985
http://issues.apache.org/bugzilla/show_bug.cgi?id=39985#c22
For sites where idle connections may time out, I also apply the patch
that I proposed in APR bug 42841
http://issues.apache.org/bugzilla/show_bug.cgi?id=42841
Be careful with this one. It hasn't been accepted by the APR folks, and
there's really no indication that it ever will be.
re: documenting the Apache password stuff in the WIKI.
Sure, I will get this done in a day or two.
-tom-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] RE : [users@httpd] authn_dbd: what format for encrypted password?
Posted by Laurent FAILLIE <l_...@yahoo.com>.
--- Phil Endecott
> Many thanks for any advice you can offer.
Hi Phil,
My only advice is to not use it as it doesn't work :-(
Stock 2.2.4's dbd is buggy and even with an updated
mod_dbd.c it randomly fails (see bug 42732 /
http://issues.apache.org/bugzilla/show_bug.cgi?id=42732).
As a workaround, I authenticate using PHP.
Best regards,
Laurent
The misspelling master is on the Web.
_________ 100 % Dictionnary Free !
/ /(
/ Dico / / Pleins d'autres fautes sur
/________/ /
(#######( / http://destroyedlolo.homeunix.org
Quoi, des fautes d'orthographe! Pas possible ;-D.
_____________________________________________________________________________
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org