Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by TomDonovan: http://wiki.apache.org/httpd/Encrypted_Password The comment on the change is: First draft New page: = Apache Encrypted Passwords = == Basic Authentication == There are four formats that Apache recognizes for basic-authentication passwords. Note that not formats work on every platform: 1. '''PLAIN TEXT''' ''(i.e. unencrypted)'' passwords: Windows, BEOS, & Netware only. 2. '''CRYPT''' passwords: Unix only. Calls the Unix crypt(3) function with a randomly-generated 32-bit salt and the password 3. '''SHA1''' passwords: {{{"{SHA}"}}} + Base64-encoded SHA-1 digest of the password 4. '''MD5''' passwords: {{{"$apr1$"}}} + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a randomly-generated 32-bit salt and the password. See the APR source file [http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup apr_md5.c] for the details of the algorithm. ==== The htpasswd program can be used to generate values ==== * '''MD5''' {{{ htpasswd -nbm myName myPassword myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ }}} * '''SHA1''' {{{ htpasswd -nbs myName myPassword myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE= }}} * '''CRYPT''' {{{ htpasswd -nbd myName myPassword myName:rqXexS6ZhobKA }}} ==== The OpenSSL command-line program can also be used to generate CRYPT and MD5 values ==== OpenSSL knows the Apache-specific MD5 algorithm. * '''MD5''' {{{ openssl passwd -apr1 myPassword $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 }}} * '''CRYPT''' {{{ openssl passwd -crypt myPassword qQ5vTYO3c8dsU }}} ==== The OpenSSL command line program can be used to validate CRYPT or MD5 passwords ==== * '''CRYPT''' The salt for a CRYPT password is the first two characters (as a Base64-encoded binary value). To validate {{{myPassword}}} against {{{rqXexS6ZhobKA}}} {{{ openssl passwd -crypt -salt rq myPassword Warning: truncating password to 8 characters rqXexS6ZhobKA }}} Note that using {{{myPasswo}}} instead of {{{myPassword}}} will produce the same result because only the first 8 characters of CRYPT passwords are considered. * '''MD5''' The salt for an MD5 password is between $apr1$ and the following $ (as a Base64-encoded binary value - max 8 chars) To validate {{{myPassword}}} against {{{$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/}}} {{{ openssl passwd -apr1 -salt r31..... myPassword $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ }}} === Database password fields for mod_dbd === The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1-hash and Base64-encoding functions are commonly available, other software can populate a database with encrypted passwords which are usable by Apache basic authentication. ==== To create Apache SHA1-variant basic-authentication passwords in other languages ==== * '''PHP''' {{{'{SHA}' . base64_encode(sha1($password, TRUE)) }}} * '''Java''' {{{"{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes())) }}} * '''ColdFusion''' {{{"{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex")) }}} * '''Ruby''' {{{require 'digest/sha1' require 'base64' '{SHA}' + Base64.encode64(Digest::SHA1.digest(password)) }}} * '''C or C++''' Use the APR function: [http://apr.apache.org/docs/apr-util/1.2/apr__sha1_8h.html#38a5ac487992a24e941b7501273829e8 void apr_sha1_base64(const char *clear, int len, char *out)] * '''PostgreSQL''' ''(with the contrib/pgcrypto functions installed)'' {{{'{SHA}'||encode(digest(password,'sha1'),'base64') }}} == Digest Authentication == There is only one format which Apache recognizes for digest-authentication passwords. This format is the MD5 hash of the string {{{user:realm:password}}} as a 32-character string of hexadecimal digits. {{{realm}}} is the ''Authorization Realm'' argument to the AuthName directive in httpd.conf. === Database password fields for mod_dbd === Since the MD5-hash function is commonly available, other software can populate a database with encrypted passwords which are usable by Apache digest authentication. ==== To create Apache digest-authentication passwords in other languages ==== * '''PHP''' {{{md5($user . ':' . $realm . ':' .$password) }}} * '''Java''' {{{byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes()); java.math.BigInteger bi = new java.math.BigInteger(b); String s = bi.toString(16); if (s.length() % 2 != 0) s = "0" + s; // String s is the digest hash }}} * '''ColdFusion''' {{{LCase(Hash( (user & ":" & realm & ":" & password) , "MD5")) }}} * '''Ruby''' {{{require 'digest/md5' Digest::MD5.hexdigest(user + ':' + realm + ':' + password) }}}
