You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Bo Berglund <bo...@gmail.com> on 2013/05/02 19:50:31 UTC
[users@httpd] Does Apache htpasswd using md5 match the PHP md5 function result?
I am trying to understand the use of MD5 as passwords for Apache,
previously I have always used CRYPT:ed passwords in my .htpasswd file.
Because Apache on Windows does not allow CRYPT:ed passwords (see
earlier thread) I am investigating the MD5 possibility.
The problem I have is that I need to let my code generate the hashes
written to the .htpasswd file in such a way that Apache will be OK
with them.
When reading the PHP documentation I find that the output of the md5()
function is a 32 byte hex string.
But the hash generated by the Apache htpasswd command on Windows
produces hashes like this:
$apr1$44sXxXbW$ZUtMUVZGDp1wSR6dEFguq0
As you can see this is clearly NOT a hex string at all!!!
So is it possible with PHP to generate the .htpasswd file in a format
that comlies with what Apache needs?
And can PHP check if a password hash matches the user supplied
password after it has been hashed using MD5?
--
Bo Berglund
Developer in Sweden
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Does Apache htpasswd using md5 match the PHP md5 function result?
Posted by Bo Berglund <bo...@gmail.com>.
On Thu, 02 May 2013 14:46:36 -0400, Ben Johnson <be...@indietorrent.org>
wrote:
>
>P.S. I advise you not to try to write-out your htpasswd files using pure
>PHP. It seems much more sound to use the Apache-provided utility
>executables to manipulate htpasswd and related files.
>
>In other words, use PHP's proc_open() or similar to call the appropriate
>utility to manipulate the Apache files. I think you would have a hell of
>a time trying to recreate in PHP all the functionality that *already
>exists* in those utilities.
>
UPDATE:
After some time being spent on PHP coding for Android app registration
with MySql integration I am back at the password checking.
Turns out that now that I know PHP better I have been able to verify
that the PHP function crypt(<passwd>, <salt>) generates the expected
hash on my Win7 based test system running Apache and PHP5.
It is only the Apache supplied password utility that seems unable to
create password files with the UNIX crypt hashes and also to use these
hashes for user verification. :-(
PHP in and of itself is capable of handling the hashing in a way
compatible to UNIX/LINUX based systems. And this gives me the
possibility to create a htpasswd file via PHP on any host system as
long as PHP5 or above is used.
User verification against that hash is also possible.
--
Bo Berglund
Developer in Sweden
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Does Apache htpasswd using md5 match the PHP md5
function result?
Posted by Ben Johnson <be...@indietorrent.org>.
On 5/2/2013 2:19 PM, Ben Johnson wrote:
>
>
> On 5/2/2013 1:50 PM, Bo Berglund wrote:
>> I am trying to understand the use of MD5 as passwords for Apache,
>> previously I have always used CRYPT:ed passwords in my .htpasswd file.
>> Because Apache on Windows does not allow CRYPT:ed passwords (see
>> earlier thread) I am investigating the MD5 possibility.
>> The problem I have is that I need to let my code generate the hashes
>> written to the .htpasswd file in such a way that Apache will be OK
>> with them.
>> When reading the PHP documentation I find that the output of the md5()
>> function is a 32 byte hex string.
>> But the hash generated by the Apache htpasswd command on Windows
>> produces hashes like this:
>> $apr1$44sXxXbW$ZUtMUVZGDp1wSR6dEFguq0
>>
>> As you can see this is clearly NOT a hex string at all!!!
>>
>> So is it possible with PHP to generate the .htpasswd file in a format
>> that comlies with what Apache needs?
>>
>> And can PHP check if a password hash matches the user supplied
>> password after it has been hashed using MD5?
>>
>>
>
> Hi again, Bo,
>
> Yes, it is possible for PHP to generate the .htpasswd file by calling a
> standalone binary directly (e.g., with proc_open() or other functions in
> the same family).
>
> Likewise, PHP can validate the hash using the same method.
>
>>From the manual page that I cited in a previous response (
> http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic ):
>
> -----------------------------------------------------------------------
> "$apr1$" + the result of an Apache-specific algorithm using an iterated
> (1,000 times) MD5 digest of various combinations of a random 32-bit salt
> and the password. See the APR source file apr_md5.c for the details of
> the algorithm.
>
> [...]
>
> Generating values with htpasswd
>
> MD5
>
> $ htpasswd -nbm myName myPassword
> myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
>
> [...]
>
> Generating CRYPT and MD5 values with the OpenSSL command-line program
>
> OpenSSL knows the Apache-specific MD5 algorithm.
>
> MD5
>
> $ openssl passwd -apr1 myPassword
> $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
>
> [...]
>
> Validating CRYPT or MD5 passwords with the OpenSSL command line program
>
> The salt for an MD5 password is between $apr1$ and the following $ (as a
> Base64-encoded binary value - max 8 chars). To validate myPassword
> against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
>
> MD5
>
> $ openssl passwd -apr1 -salt r31..... myPassword
> $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
>
> -----------------------------------------------------------------------
>
> So, at a minimum, it seems that you should be able to generate
> Apache-readable hashes using the either the Apache-provided utility
> binary, htpasswd, or the "openssl" binary. Given that openssl is
> available for most (or all) platforms, including Windows, one of the two
> should be sufficient.
>
> I grabbed openSSL from http://slproweb.com/products/Win32OpenSSL.html .
>
> Trying htpasswd first:
>
> Generate password:
>
> htpasswd -nbm myName myPassword
> myName:$apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1
>
> Validate password:
>
> openssl passwd -apr1 -salt QF/F.cm5 myPassword
> $apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1
>
> (the hashes match; the password is valid)
>
> Trying openssl next:
>
> openssl passwd -apr1 myPassword
> $apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/
>
> openssl passwd -apr1 -salt f/X4Z7kl myPassword
> $apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/
>
> (the hashes match; the password is valid)
>
> This should be everything you need.
>
> -Ben
P.S. I advise you not to try to write-out your htpasswd files using pure
PHP. It seems much more sound to use the Apache-provided utility
executables to manipulate htpasswd and related files.
In other words, use PHP's proc_open() or similar to call the appropriate
utility to manipulate the Apache files. I think you would have a hell of
a time trying to recreate in PHP all the functionality that *already
exists* in those utilities.
Good luck
-Ben
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Does Apache htpasswd using md5 match the PHP md5
function result?
Posted by Ben Johnson <be...@indietorrent.org>.
On 5/2/2013 1:50 PM, Bo Berglund wrote:
> I am trying to understand the use of MD5 as passwords for Apache,
> previously I have always used CRYPT:ed passwords in my .htpasswd file.
> Because Apache on Windows does not allow CRYPT:ed passwords (see
> earlier thread) I am investigating the MD5 possibility.
> The problem I have is that I need to let my code generate the hashes
> written to the .htpasswd file in such a way that Apache will be OK
> with them.
> When reading the PHP documentation I find that the output of the md5()
> function is a 32 byte hex string.
> But the hash generated by the Apache htpasswd command on Windows
> produces hashes like this:
> $apr1$44sXxXbW$ZUtMUVZGDp1wSR6dEFguq0
>
> As you can see this is clearly NOT a hex string at all!!!
>
> So is it possible with PHP to generate the .htpasswd file in a format
> that comlies with what Apache needs?
>
> And can PHP check if a password hash matches the user supplied
> password after it has been hashed using MD5?
>
>
Hi again, Bo,
Yes, it is possible for PHP to generate the .htpasswd file by calling a
standalone binary directly (e.g., with proc_open() or other functions in
the same family).
Likewise, PHP can validate the hash using the same method.
>From the manual page that I cited in a previous response (
http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic ):
-----------------------------------------------------------------------
"$apr1$" + the result of an Apache-specific algorithm using an iterated
(1,000 times) MD5 digest of various combinations of a random 32-bit salt
and the password. See the APR source file apr_md5.c for the details of
the algorithm.
[...]
Generating values with htpasswd
MD5
$ htpasswd -nbm myName myPassword
myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
[...]
Generating CRYPT and MD5 values with the OpenSSL command-line program
OpenSSL knows the Apache-specific MD5 algorithm.
MD5
$ openssl passwd -apr1 myPassword
$apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
[...]
Validating CRYPT or MD5 passwords with the OpenSSL command line program
The salt for an MD5 password is between $apr1$ and the following $ (as a
Base64-encoded binary value - max 8 chars). To validate myPassword
against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
MD5
$ openssl passwd -apr1 -salt r31..... myPassword
$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
-----------------------------------------------------------------------
So, at a minimum, it seems that you should be able to generate
Apache-readable hashes using the either the Apache-provided utility
binary, htpasswd, or the "openssl" binary. Given that openssl is
available for most (or all) platforms, including Windows, one of the two
should be sufficient.
I grabbed openSSL from http://slproweb.com/products/Win32OpenSSL.html .
Trying htpasswd first:
Generate password:
htpasswd -nbm myName myPassword
myName:$apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1
Validate password:
openssl passwd -apr1 -salt QF/F.cm5 myPassword
$apr1$QF/F.cm5$Fz6Y5X2lgdJmpxlHPTtzl1
(the hashes match; the password is valid)
Trying openssl next:
openssl passwd -apr1 myPassword
$apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/
openssl passwd -apr1 -salt f/X4Z7kl myPassword
$apr1$f/X4Z7kl$XA7sEz7.aRdZX0ZMweLXd/
(the hashes match; the password is valid)
This should be everything you need.
-Ben
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org