Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by TomDonovan: http://wiki.apache.org/httpd/EncryptedPasswords The comment on the change is: re: bits in salt (for the very fussy) - PostgreSQL dgst exampl - retested code ------------------------------------------------------------------------------ = Basic Authentication = There are four formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform: - 1. '''PLAIN TEXT''' ''(i.e. unencrypted)'' passwords: Windows, BEOS, & Netware only. + 1. '''PLAIN TEXT''' ''(i.e. unencrypted)'' passwords: __Windows, BEOS, & Netware only__. - 2. '''CRYPT''' passwords: Unix only. Calls the Unix crypt(3) function with a randomly-generated 32-bit salt and the password. + 2. '''CRYPT''' passwords: __Unix only__. Uses the traditional Unix {{{crypt(3)}}} function with a random 32-bit salt ~-(only 12 bits used)-~ and the first 8 characters of the password. 3. '''SHA1''' passwords: {{{"{SHA}"}}} + Base64-encoded SHA-1 digest of the password. - 4. '''MD5''' passwords: {{{"$apr1$"}}} + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a randomly-generated 32-bit salt and the password. See the APR source file [http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup apr_md5.c] for the details of the algorithm. + 4. '''MD5''' passwords: {{{"$apr1$"}}} + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file [http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup apr_md5.c] for the details of the algorithm. ==== The htpasswd program can be used to generate values ==== * '''MD5''' @@ -45, +45 @@ ==== The OpenSSL command line program can be used to validate CRYPT or MD5 passwords ==== * '''CRYPT''' - The salt for a CRYPT password is the first two characters (as a Base64-encoded binary value). + The salt for a CRYPT password is the first two characters ~-(converted to a binary value)-~. + To validate {{{myPassword}}} against {{{rqXexS6ZhobKA}}} {{{ openssl passwd -crypt -salt rq myPassword @@ -55, +56 @@ Note that using {{{myPasswo}}} instead of {{{myPassword}}} will produce the same result because only the first 8 characters of CRYPT passwords are considered. * '''MD5''' - The salt for an MD5 password is between $apr1$ and the following $ (as a Base64-encoded binary value - max 8 chars) + The salt for an MD5 password is between {{{$apr1$}}} and the following {{{$}}} ~-(converted to a binary value - max 8 chars)-~. + To validate {{{myPassword}}} against {{{$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/}}} {{{ openssl passwd -apr1 -salt r31..... myPassword $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ }}} === Database password fields for mod_dbd === - The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1-hash and Base64-encoding functions are commonly available, other software can populate a database with encrypted passwords which are usable by Apache basic authentication. + The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1 and Base64 functions are commonly available, other software can populate a database with encrypted passwords which are usable by Apache basic authentication. ==== To create Apache SHA1-variant basic-authentication passwords in other languages ==== * '''PHP''' @@ -87, +89 @@ = Digest Authentication = - There is only one format which Apache recognizes for digest-authentication passwords. - This format is the MD5 hash of the string {{{user:realm:password}}} as a 32-character string of hexadecimal digits. {{{realm}}} is the ''Authorization Realm'' argument to the AuthName directive in httpd.conf. + Apache only recognizes one format for digest-authentication passwords - the MD5 hash of the string {{{user:realm:password}}} as a 32-character string of hexadecimal digits. + + {{{realm}}} is the '''Authorization Realm''' argument to the AuthName directive. === Database password fields for mod_dbd === - Since the MD5-hash function is commonly available, other software can populate a database with encrypted passwords which are usable by Apache digest authentication. + Since the MD5 function is commonly available, other software can populate a database with encrypted passwords which are usable by Apache digest authentication. ==== To create Apache digest-authentication passwords in other languages ==== * '''PHP''' @@ -101, +104 @@ {{{byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes()); java.math.BigInteger bi = new java.math.BigInteger(b); String s = bi.toString(16); - if (s.length() % 2 != 0) + if (s.length() % 2 != 0) s = "0" + s; + // String s is the encrypted password - s = "0" + s; - // String s is the digest hash }}} * '''!ColdFusion''' {{{LCase(Hash( (user & ":" & realm & ":" & password) , "MD5")) @@ -112, +114 @@ {{{require 'digest/md5' Digest::MD5.hexdigest(user + ':' + realm + ':' + password) }}} + * '''PostgreSQL''' ''(with the contrib/pgcrypto functions installed)'' + {{{ + encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex') + }}}
