You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Justin Erenkrantz <je...@apache.org> on 2002/09/10 08:36:11 UTC

Re: cvs commit: httpd-2.0/support htpasswd.c

On Tue, Sep 10, 2002 at 03:00:51AM -0000, jerenkrantz@apache.org wrote:
> jerenkrantz    2002/09/09 20:00:50
> 
>   Modified:    .        CHANGES
>                support  htpasswd.c
>   Log:
>   Add ability to htpasswd (via -5) to produce non-obfuscated MD5 hashes.
>   
>   mod_auth_digest's passwords can not be obfuscated by the APR magic
>   sequence (as we don't call apr_password_validate on them), therefore we
>   need a tool to produce true MD5 hex hashes.

Well, obviously, I needed to go back to mod_auth_digest school as
htpasswd has nothing to do with mod_auth_digest which uses a
completely different format.  (I somehow forgot about htdigest.)

But, I still think producing unobfuscated md5 hashes is a useful
option, so I'll leave this commit in.  -- justin

Re: cvs commit: httpd-2.0/support htpasswd.c

Posted by Justin Erenkrantz <je...@apache.org>.

On Tue, Sep 10, 2002 at 12:08:42AM -0700, Aaron Bannert wrote:
> On Mon, Sep 09, 2002 at 11:36:11PM -0700, Justin Erenkrantz wrote:
> > But, I still think producing unobfuscated md5 hashes is a useful
> > option, so I'll leave this commit in.  -- justin
> 
> I'm totally out of my league here, but is this different than say
> md5sum? (It still might make sense to keep it, or at least invent
> our own md5sum, since apache is probably more portable than md5sum.)

Well, what we do with the -m option to htpasswd is produce a
'special' md5 value prefixed by '$apr_1$' (or something like that).
Our apr_password_validate looks for the special string and calls
APR's md5 routines if it sees it (bypassing crypt() I think).  This
option to htpasswd skips that whole logic and produces a true md5
hash.

Yeah, a program in apr-util/test that was md5sum would be really
nice and prolly really easy to write.  =)  -- justin

Re: cvs commit: httpd-2.0/support htpasswd.c

Posted by Aaron Bannert <aa...@clove.org>.

On Mon, Sep 09, 2002 at 11:36:11PM -0700, Justin Erenkrantz wrote:
> But, I still think producing unobfuscated md5 hashes is a useful
> option, so I'll leave this commit in.  -- justin

I'm totally out of my league here, but is this different than say
md5sum? (It still might make sense to keep it, or at least invent
our own md5sum, since apache is probably more portable than md5sum.)

-aaron

Re: cvs commit: httpd-2.0/support htpasswd.c

Posted by rb...@apache.org.

This message is complete hand-waving.  The point of htpasswd is to create
password files for mod_auth.  It doesn't create password files for use
with other authentication schemes.  More to the point, if anybody ever
uses this option, it will FAIL with mod_auth.  That violates the principle
of least astonishment.  If you don't document it, then it might as well
not be there.

Ryan

On Tue, 10 Sep 2002, Justin Erenkrantz wrote:

> On Tue, Sep 10, 2002 at 11:57:08AM -0400, rbb@apache.org wrote:
> > I agree with Bill.  Please revert this commit.  The problem is that
> 
> And, I think there is power in giving the user the choice to have
> correct MD5 hashes produced.  Not every use of htpasswd is going to
> be fed into apr_password_validate().  If I were to write a new
> auth scheme or a CGI script where the client sends a correct MD5
> hash of their password and I needed to verify that hash, this
> option would be essential.
> 
> It isn't the default (heck, we could remove the option from the
> help or rot13 the option description), but even if it produces
> something not portable with apr_password_validate() but is a correct
> MD5 hash, I think we should allow users to produce it.  -- justin
> 

-- 

_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
550 Jean St
Oakland CA 94610
-------------------------------------------------------------------------------

Re: cvs commit: httpd-2.0/support htpasswd.c

Posted by Justin Erenkrantz <je...@apache.org>.

On Tue, Sep 10, 2002 at 11:31:20AM -0700, Aaron Bannert wrote:
> Although I like the idea of rethinking these sorts of things, I don't
> think we would do well to break current .htpasswd files or homebrew
> scripts that do the work of htpasswd.

I think we can do it in a way that wouldn't break old htpasswd
files.  If the first character is a {, then we look for a matching },
and everything in between should be a code for the algorithm used.

If the first character isn't a { or we don't have a matching }, then
it isn't a problem.

And, AFAIK, none of the current algorithms allow { or } as valid
characters (which is why LDAP uses it).  So, we really shouldn't see
a { without a matching }.  -- justin

Re: cvs commit: httpd-2.0/support htpasswd.c

Posted by Aaron Bannert <aa...@clove.org>.

On Tue, Sep 10, 2002 at 11:19:34AM -0700, Justin Erenkrantz wrote:
> In case you've forgotten, there is no more mod_auth.  So, this is an
> opportunity to rethink how we store passwords.
> 
> I would think a much easier way would be to stop being fuzzy about
> the storage of the passwords and allow specification of what format
> the passwords are in.
> 
> I would much prefer seeing {crypt}, {md5}, {sha1} in the format
> that most LDAP implementations use.  That's definitely cleaner than
> relying on some weird magic symbol that breaks MD5 compatibility.
> 
> And, in order to be backwards compatible, we can leave the $apr1$
> fooness there, but...  Just a thought.  -- justin

Although I like the idea of rethinking these sorts of things, I don't
think we would do well to break current .htpasswd files or homebrew
scripts that do the work of htpasswd.

-aaron

Re: cvs commit: httpd-2.0/support htpasswd.c

Posted by Justin Erenkrantz <je...@apache.org>.

On Tue, Sep 10, 2002 at 12:46:40PM -0500, William A. Rowe, Jr. wrote:
> You missed the point, anything that htpasswd or htdigest produce
> must be parsable by mod_auth or mod_auth_digest, respectively.

In case you've forgotten, there is no more mod_auth.  So, this is an
opportunity to rethink how we store passwords.

I would think a much easier way would be to stop being fuzzy about
the storage of the passwords and allow specification of what format
the passwords are in.

I would much prefer seeing {crypt}, {md5}, {sha1} in the format
that most LDAP implementations use.  That's definitely cleaner than
relying on some weird magic symbol that breaks MD5 compatibility.

And, in order to be backwards compatible, we can leave the $apr1$
fooness there, but...  Just a thought.  -- justin

Re: cvs commit: httpd-2.0/support htpasswd.c

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 12:24 PM 9/10/2002, Justin Erenkrantz wrote:
>On Tue, Sep 10, 2002 at 11:57:08AM -0400, rbb@apache.org wrote:
> > I agree with Bill.  Please revert this commit.  The problem is that
>
>And, I think there is power in giving the user the choice to have
>correct MD5 hashes produced.  Not every use of htpasswd is going to
>be fed into apr_password_validate().

You missed the point, anything that htpasswd or htdigest produce
must be parsable by mod_auth or mod_auth_digest, respectively.

-1 on this patch [veto], please back out your commit.

Now then... Mladen Turk offered several patches that would roll up
htpasswd and htdigest behavior (along with htdbm) into a single utility.
If you want a tool that creates different sorts of passwords using different
storage mechanisms, perhaps its time to review that submission.

It would be trivial to offer some .sh (.bat) scripts that replace the existing
htpasswd, htdigest and htdbm utilities, providing the -right- flags to this
new, single rollup utility based on the expected args of the old tools.

Bill

Re: cvs commit: httpd-2.0/support htpasswd.c

Posted by Justin Erenkrantz <je...@apache.org>.

On Tue, Sep 10, 2002 at 11:57:08AM -0400, rbb@apache.org wrote:
> I agree with Bill.  Please revert this commit.  The problem is that

And, I think there is power in giving the user the choice to have
correct MD5 hashes produced.  Not every use of htpasswd is going to
be fed into apr_password_validate().  If I were to write a new
auth scheme or a CGI script where the client sends a correct MD5
hash of their password and I needed to verify that hash, this
option would be essential.

It isn't the default (heck, we could remove the option from the
help or rot13 the option description), but even if it produces
something not portable with apr_password_validate() but is a correct
MD5 hash, I think we should allow users to produce it.  -- justin

Re: cvs commit: httpd-2.0/support htpasswd.c

Posted by rb...@apache.org.

On Tue, 10 Sep 2002, William A. Rowe, Jr. wrote:

> At 01:36 AM 9/10/2002, Justin Erenkrantz wrote:
> >On Tue, Sep 10, 2002 at 03:00:51AM -0000, jerenkrantz@apache.org wrote:
> > > jerenkrantz    2002/09/09 20:00:50
> > >
> > >   Modified:    .        CHANGES
> > >                support  htpasswd.c
> > >   Log:
> > >   Add ability to htpasswd (via -5) to produce non-obfuscated MD5 hashes.
> > >
> > >   mod_auth_digest's passwords can not be obfuscated by the APR magic
> > >   sequence (as we don't call apr_password_validate on them), therefore we
> > >   need a tool to produce true MD5 hex hashes.
> >
> >Well, obviously, I needed to go back to mod_auth_digest school as
> >htpasswd has nothing to do with mod_auth_digest which uses a
> >completely different format.  (I somehow forgot about htdigest.)
> >
> >But, I still think producing unobfuscated md5 hashes is a useful
> >option, so I'll leave this commit in.  -- justin
> 
> Can it be parsed by mod_auth from an .htpasswd file?
> 
> If not, please revert the commit.

I agree with Bill.  Please revert this commit.  The problem is that
mod_auth can't tell the difference between crypt() and MD5 without the
string, which is why it was added in the first place.  Also, MD5 isn't as
portable as we had originally hoped.  Some of the BSDs have modified their
crypt() algorithm, which uses MD5, to use a slightly incompatible
MD5.  This means that if you try to take a crypt() password file to from a
BSD machine, and move it to another box and try to make it use our MD5
algorithm, it won't work.

Ryan
_______________________________________________________________________________
Ryan Bloom                        	rbb@apache.org
550 Jean St
Oakland CA 94610
-------------------------------------------------------------------------------

Re: cvs commit: httpd-2.0/support htpasswd.c

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 01:36 AM 9/10/2002, Justin Erenkrantz wrote:
>On Tue, Sep 10, 2002 at 03:00:51AM -0000, jerenkrantz@apache.org wrote:
> > jerenkrantz    2002/09/09 20:00:50
> >
> >   Modified:    .        CHANGES
> >                support  htpasswd.c
> >   Log:
> >   Add ability to htpasswd (via -5) to produce non-obfuscated MD5 hashes.
> >
> >   mod_auth_digest's passwords can not be obfuscated by the APR magic
> >   sequence (as we don't call apr_password_validate on them), therefore we
> >   need a tool to produce true MD5 hex hashes.
>
>Well, obviously, I needed to go back to mod_auth_digest school as
>htpasswd has nothing to do with mod_auth_digest which uses a
>completely different format.  (I somehow forgot about htdigest.)
>
>But, I still think producing unobfuscated md5 hashes is a useful
>option, so I'll leave this commit in.  -- justin

Can it be parsed by mod_auth from an .htpasswd file?

If not, please revert the commit.

Bill