[plug] Apache & htpasswd

[Brian Tombleson]

Hi Christian,

Appreciate you trying, but I have more questions :) ..

From: "Christian" <christian at amnet.net.au>
> On Mon, May 21, 2001 at 09:30:50AM +0800, Brian Tombleson wrote:
> > error_log entry:
> > [Sun May 20 10:08:59 2001] [error] [client 203.59.147.233] user junior:
> > authentication failure for "/restricted/toolbar_restricted.htm":
password
> > mismatch

<snip>

> The final option is to use the crypt() library function which is
> basically the same hashing algorithm used for user's login passwords on
> the system.  Although from my quick skim of the manual page I can't find
> this stated, I have a feeling that this is the default algorithm so if
> you've just been using htpasswd without either of the other command line
> options then your passwords are probably hashed with this.

I believe this to be the case also.

> Now, I'm almost 100% positive that Apache includes some information at
> the start of the hash in the password file that identifies which hash
> was used (the same way as in /etc/shadow).  What this means is that it
> shouldn't just randomly fail if one of the different hash algorithms
> mentioned above has been used since the program can tell how the
> password was hashed and automatically use the correct algorithm.

The /etc/shadow does include information at the start of the password
string, presumably a reference to the encryption algorithm.  Unfortunately,
the current apache htpasswd file does not, although it can when you change
algorithm via the switches.

Password Entry from the old schema (majority in this format)
junior:jutt65bRqol9h9SQRsNR5aX/

A different one from old schema (some in this format):
test1:4Ot32i2AbtEQo

New one added with -m param
testing:$apr1$f8039/..$uXy6ZEf8z9m7OCZDxVVME.

New one added with -s param
testing:{SHA}GvF+c3IdvgxAARuC7Uuxp9vjzik=

New one added with -d param
testing:6P/OqUAOM4ykY

New one added with no htpasswd params.
testing:LMevUHwLm/bOw