You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Pete Nelson <pe...@ci.stpaul.mn.us> on 2002/04/16 15:20:42 UTC
RE: basic authentication in apache 1.3.19 ignoring more than 8
characters in the password.
I just tested this on Apache 1.3.22 on RedHat 6.2 and Apache 1.3.24 on
Win2k, and both happily took a 19-character password
(thisisalongpassword). I am pretty confident that it should also work
on Apache 1.3.19 on most platforms.
--
Pete Nelson, Web Developer
<pe...@ci.stpaul.mn.us>
http://www.ci.stpaul.mn.us/
>>> milind.sawant@skandiabank.ch 04/16/02 03:01AM >>>
Hi
I would appreciate if any one has any inputs on this.
I need a confirmation whether or not a password of more than 8
characters is
possible with "Basic Authentication"
in apache.
thanks
Milind Sawant
Web Administrator (Apollo)
TCS
+0041 1 288 4675
-----Original Message-----
From: Milind Sawant [mailto:milind.sawant@skandiabank.ch]
Sent: 11 April 2002 15:52
To: users@httpd.apache.org; chet@rcn.com
Subject: RE: basic authentication in apache 1.3.19 ignoring more than
8
characters in the password.
Hi
thanks for your inputs
basic authentication uses the htpasswd utility to created passwords.
by default is the -d option which Forces CRYPT encryption of the
password.
I tried using the -m (Force MD5 encryption of the password) option.
It is not working.Apache always throws a password mismatch error.
Is it possible to use other options of the htpasswd utility with Basic
authentication in Apache?
I am interested in an option which will enable passwords of more than
8
characters.
please let me know
thanks
Milind Sawant
Web Administrator (Apollo)
TCS
+0041 1 288 4675
-----Original Message-----
From: Chet Luther [mailto:chet@rcn.com]
Sent: 10 April 2002 14:49
To: users@httpd.apache.org
Subject: Re: basic authentication in apache 1.3.19 ignoring more than
8
characters in the password.
Unfortunately, basic authentication just uses the standard UNIX
crypt
function to create the password hashes. 8 characets is the limit. You
may
want to check out mod_auth_digest for longer passwords.
> Hi
>
> The Basic Authentication in apache 1.3.19 is using only the first 8
> characters
> of the password for authentication.
> any characters more than 8 characters in the password are ignored.
>
> Is this the behaviour or can we configure apache 1.3.19 to use more
than 8
> characters
> in the password for basic authentication?
>
> let me know
>
> thanks
>
> Milind Sawant
> Web Administrator (Apollo)
> TCS
>
> +0041 1 288 4675
>
>
>
---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: basic authentication in apache 1.3.19 ignoring more than 8characters in the password.
Posted by Milind Sawant <mi...@skandiabank.ch>.
Hi
thanks for your concern
The Basic Authentication in apache uses the htpasswd utility to generate
passwords.
A) The default option is -d ( Force CRYPT encryption of the password ) .
you can create a password of more that 8 characters.
But only the first 8 characters are relevant.
as owen boyle has righly pointed out , if "xxxxxxxxYBDCDC" is your password
and on authentication
if you supply "xxxxxxxxADBDD" as the password , you can log in.
B) Using other options like -m (MD5 encryption ) and -s (SHA encyption) dont
work.
i can generate the password but get a password mismatch error on
authentication.
Do you have the same experience?
Milind
Milind Sawant
Web Administrator (Apollo)
TCS
+0041 1 288 4675
-----Original Message-----
From: obo@bourse.ch [mailto:obo@bourse.ch]
Sent: 16 April 2002 15:28
To: users@httpd.apache.org
Subject: Re: basic authentication in apache 1.3.19 ignoring more than
8characters in the password.
Pete Nelson wrote:
>
> I just tested this on Apache 1.3.22 on RedHat 6.2 and Apache 1.3.24 on
> Win2k, and both happily took a 19-character password
> (thisisalongpassword). I am pretty confident that it should also work
> on Apache 1.3.19 on most platforms.
Did you test whether all the characters were significant? AFAIK, apache
uses the system passwd utility which is sensitive only to the first 8
chars. You can put in more if you like but they are not significant. In
other words, "thisisalongpassword" and "thisisalxxxxxxxxx" are the same.
Rgds,
Owen Boyle.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: basic authentication in apache 1.3.19 ignoring more than 8characters
in the password.
Posted by Owen Boyle <ob...@bourse.ch>.
Pete Nelson wrote:
>
> I just tested this on Apache 1.3.22 on RedHat 6.2 and Apache 1.3.24 on
> Win2k, and both happily took a 19-character password
> (thisisalongpassword). I am pretty confident that it should also work
> on Apache 1.3.19 on most platforms.
Did you test whether all the characters were significant? AFAIK, apache
uses the system passwd utility which is sensitive only to the first 8
chars. You can put in more if you like but they are not significant. In
other words, "thisisalongpassword" and "thisisalxxxxxxxxx" are the same.
Rgds,
Owen Boyle.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org