You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jannetta S Steyn <ja...@henning.org> on 2007/04/20 07:56:40 UTC

[users@httpd] .htpasswd problems

Hi All

I'm not sure that I'm on exactly the correct mailing list here, but I figured it a good
place to start, even it is just to get someone to guide me in the right direction.

Some years ago I wrote web front-end for managing .htpasswd files. My client has been
using this for years. Everything is written in php and I use crypt without a seed to
encrypt the passwords. Basically what I do is to allow the user to create entries in the
.htadmin file. They can also manage the .htpasswd file by editing and deleting entries.
Everything worked very well for about 2 years at which point the passwords wouldn't work
anymore. I couldn't figure out what was wrong and the client's ISP would help finding
the fault and I couldn't reproduce the problem on my own servers.

I then moved everything onto my own servers and everything worked again for several
years. Unfortunately I then had to move onto rented web space where everything continued
to work for another year or so and now I'm experiencing the same problem again. When the
problem originally started I modified the scripts to keep a copy of the .htpasswd file
with open passwords and I added a menu item to allow the user to re-submit the password
file. The would encrypt all the passwords again and write them to the .htpasswd file and
things would work again for a few days.

Now however the thing breaks so often that we just can carry on resubmitting again. I
have once again moved everything onto my servers and since last night I discovered one
thing: If I use htpasswd to create an entry in a .htpasswd file, it will generate a
different hash for the password everytime you run it. However, when you log in, it
works, even thought the password in the .htpasswd file seemed to have change. My
question in the first place then is: How on earth does htpasswd manage to authenticate
if the password hash changes every time.

My understanding of how authentication work is that the password is saved as a md5 or
DES hash and when the user tries to log in he enters his clear password which is then
encrypted and compared with the hash in the password file. Surely though the two hashes
should be the same. If however a seed is used which is different every time the
encrypting is done then we'll get a different password every time and they should be
equal. Why then does apache still authenticate the user?

My second question is: Did the way htpasswd and apache work change at some stage, or why
did my scripts stop working after such a long time?

The project is available in sourceforge at
http://sourceforge.net/project/showfiles.php?group_id=62350. I would really appreciate
any guidance on this problem.

Kind Regards
Jannetta


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] .htpasswd problems

Posted by Jannetta S Steyn <ja...@henning.org>.

Hi there

> You're talking about the differences between hashing and encryption /
> decryption.  MD5 is a hashing algorithm, DES is an encryption /
> decryption algorithm.  See:

True I was confusing the issue here. However, when I wrote the scripts 
originally I think only MD5 was used, and the hashes were compared for 
authentication. I remember then, looking at the files and even after 
re-creating the passwords, the hashes didn't change. Now however, even the 
hashes do seem to change. Example and here I am forcing md5:

-bash-3.1$
-bash-3.1$ htpasswd -n -m -b username password
username:$apr1$YxgJg...$CBPoLTrXCOLCn13LDTL8w1

-bash-3.1$ htpasswd -n -m -b username password
username:$apr1$fjhvN/..$a2OsVleb.E8zoEOyfWfuw.

-bash-3.1$ htpasswd -n -m -b username password
username:$apr1$ie9n5/..$yOfvwYlhFXBOicCXuk.DK0

The main issue for me still remains, why do my password file stop working 
after a while? Obviously something regarding the way the passwords are 
generated and compared changed since I originally wrote the stuff. What 
changed? I need to know this to accomodate the changes in my code.

Thanks for all your input
Regards
Jannetta 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] .htpasswd problems

Posted by "Neil A. Hillard" <ne...@agustawestland.com>.

Hi,

Jannetta S Steyn wrote:
>> It doesn't matter what gets stored as long as the
>> decrypted value matches the password.
> 
> This part of what you said puzzles me. Why would you want to decrypt the password and
> isn't the point of md5 and DES that you don't decrypt the password. Usually the
> passwords are compared in their encrypted form. That's the whole idea of a message
> digest isn't it to get a unique signature for a message and to make it near impossible
> to retrieve the message from the signature again.

You're talking about the differences between hashing and encryption /
decryption.  MD5 is a hashing algorithm, DES is an encryption /
decryption algorithm.  See:

http://en.wikipedia.org/wiki/Cryptographic_hash_function
http://en.wikipedia.org/wiki/Encryption

HTH,


				Neil.

-- 
Neil Hillard                    neil.hillard@agustawestland.com
AgustaWestland                  http://www.whl.co.uk/

Disclaimer: This message does not necessarily reflect the
            views of Westland Helicopters Ltd.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] .htpasswd problems

Posted by Jannetta S Steyn <ja...@henning.org>.

Hi Steve

> It doesn't matter what gets stored as long as the
> decrypted value matches the password.

This part of what you said puzzles me. Why would you want to decrypt the password and
isn't the point of md5 and DES that you don't decrypt the password. Usually the
passwords are compared in their encrypted form. That's the whole idea of a message
digest isn't it to get a unique signature for a message and to make it near impossible
to retrieve the message from the signature again.

Regards
Jannetta


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] .htpasswd problems

Posted by Steve Swift <st...@gmail.com>.

Using htpasswd to control passwords in the .htpasswd file has always
resulted in varying values for the same password. This is a standard
encryption technique. It doesn't matter what gets stored as long as the
decrypted value matches the password. A simple mechanism could use 256
different encryption methods, with the one used stored in the first byte of
the encrypted results.

On 20/04/07, Jannetta S Steyn <ja...@henning.org> wrote:
>
> Hi All
>
> I'm not sure that I'm on exactly the correct mailing list here, but I
> figured it a good
> place to start, even it is just to get someone to guide me in the right
> direction.
>
> Some years ago I wrote web front-end for managing .htpasswd files. My
> client has been
> using this for years. Everything is written in php and I use crypt without
> a seed to
> encrypt the passwords. Basically what I do is to allow the user to create
> entries in the
> .htadmin file. They can also manage the .htpasswd file by editing and
> deleting entries.
> Everything worked very well for about 2 years at which point the passwords
> wouldn't work
> anymore. I couldn't figure out what was wrong and the client's ISP would
> help finding
> the fault and I couldn't reproduce the problem on my own servers.
>
> I then moved everything onto my own servers and everything worked again
> for several
> years. Unfortunately I then had to move onto rented web space where
> everything continued
> to work for another year or so and now I'm experiencing the same problem
> again. When the
> problem originally started I modified the scripts to keep a copy of the
> .htpasswd file
> with open passwords and I added a menu item to allow the user to re-submit
> the password
> file. The would encrypt all the passwords again and write them to the
> .htpasswd file and
> things would work again for a few days.
>
> Now however the thing breaks so often that we just can carry on
> resubmitting again. I
> have once again moved everything onto my servers and since last night I
> discovered one
> thing: If I use htpasswd to create an entry in a .htpasswd file, it will
> generate a
> different hash for the password everytime you run it. However, when you
> log in, it
> works, even thought the password in the .htpasswd file seemed to have
> change. My
> question in the first place then is: How on earth does htpasswd manage to
> authenticate
> if the password hash changes every time.
>
> My understanding of how authentication work is that the password is saved
> as a md5 or
> DES hash and when the user tries to log in he enters his clear password
> which is then
> encrypted and compared with the hash in the password file. Surely though
> the two hashes
> should be the same. If however a seed is used which is different every
> time the
> encrypting is done then we'll get a different password every time and they
> should be
> equal. Why then does apache still authenticate the user?
>
> My second question is: Did the way htpasswd and apache work change at some
> stage, or why
> did my scripts stop working after such a long time?
>
> The project is available in sourceforge at
> http://sourceforge.net/project/showfiles.php?group_id=62350. I would
> really appreciate
> any guidance on this problem.
>
> Kind Regards
> Jannetta
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
Steve Swift
http://www.swiftys.org.uk