Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by noodl: http://wiki.apache.org/httpd/EncryptedPasswords The comment on the change is: Deleted, save for a note about new home. ------------------------------------------------------------------------------ ## page was renamed from Encrypted Password - '''Note:''' This page is being added to the main docs, at http://httpd.apache.org/docs/trunk/misc/password_encryptions.html. noodl will monitor any changes here for a week before removing this page, beyond which point any suggestions should be sent to the [EMAIL PROTECTED] list. + Moved to http://httpd.apache.org/docs/trunk/misc/password_encryptions.html - = Basic Authentication = - There are four formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform: - - 1. '''PLAIN TEXT''' ''(i.e. unencrypted)'' passwords: __Windows, BEOS, & Netware only__. - 2. '''CRYPT''' passwords: __Unix only__. Uses the traditional Unix {{{crypt(3)}}} function with a random 32-bit salt ~-(only 12 bits used)-~ and the first 8 characters of the password. - 3. '''SHA1''' passwords: {{{"{SHA}"}}} + Base64-encoded SHA-1 digest of the password. - 4. '''MD5''' passwords: {{{"$apr1$"}}} + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file [http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup apr_md5.c] for the details of the algorithm. - - ==== The htpasswd program can be used to generate values ==== - * '''MD5''' - {{{ - htpasswd -nbm myName myPassword - myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ - }}} - * '''SHA1''' - {{{ - htpasswd -nbs myName myPassword - myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE= - }}} - * '''CRYPT''' - {{{ - htpasswd -nbd myName myPassword - myName:rqXexS6ZhobKA - }}} - ==== The OpenSSL command-line program can also be used to generate CRYPT and MD5 values ==== - OpenSSL knows the Apache-specific MD5 algorithm. - * '''MD5''' - {{{ - openssl passwd -apr1 myPassword - $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 - }}} - * '''CRYPT''' - {{{ - openssl passwd -crypt myPassword - qQ5vTYO3c8dsU - }}} - - ==== The OpenSSL command line program can be used to validate CRYPT or MD5 passwords ==== - * '''CRYPT''' - The salt for a CRYPT password is the first two characters ~-(converted to a binary value)-~. - - To validate {{{myPassword}}} against {{{rqXexS6ZhobKA}}} - {{{ - openssl passwd -crypt -salt rq myPassword - Warning: truncating password to 8 characters - rqXexS6ZhobKA - }}} - Note that using {{{myPasswo}}} instead of {{{myPassword}}} will produce the same result because only the first 8 characters of CRYPT passwords are considered. - - * '''MD5''' - The salt for an MD5 password is between {{{$apr1$}}} and the following {{{$}}} ~-(converted to a binary value - max 8 chars)-~. - - To validate {{{myPassword}}} against {{{$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/}}} - {{{ - openssl passwd -apr1 -salt r31..... myPassword - $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ - }}} - === Database password fields for mod_dbd === - The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1 and Base64 functions are commonly available, other software can populate a database with encrypted passwords which are usable by Apache basic authentication. - - ==== To create Apache SHA1-variant basic-authentication passwords in other languages ==== - * '''PHP''' - {{{'{SHA}' . base64_encode(sha1($password, TRUE)) - }}} - * '''Java''' - {{{"{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes())) - }}} - * '''!ColdFusion''' - {{{"{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex")) - }}} - * '''Ruby''' - {{{require 'digest/sha1' - require 'base64' - '{SHA}' + Base64.encode64(Digest::SHA1.digest(password)) - }}} - * '''C or C++''' - Use the APR function: [http://apr.apache.org/docs/apr-util/1.2/apr__sha1_8h.html#38a5ac487992a24e941b7501273829e8 void apr_sha1_base64(const char *clear, int len, char *out)] - * '''PostgreSQL''' ''(with the contrib/pgcrypto functions installed)'' - {{{'{SHA}'||encode(digest(password,'sha1'),'base64') - }}} - - - = Digest Authentication = - Apache only recognizes one format for digest-authentication passwords - the MD5 hash of the string {{{user:realm:password}}} as a 32-character string of hexadecimal digits. - - {{{realm}}} is the '''Authorization Realm''' argument to the AuthName directive. - - === Database password fields for mod_dbd === - Since the MD5 function is commonly available, other software can populate a database with encrypted passwords which are usable by Apache digest authentication. - - ==== To create Apache digest-authentication passwords in other languages ==== - * '''PHP''' - {{{md5($user . ':' . $realm . ':' .$password) - }}} - * '''Java''' - {{{byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes()); - java.math.BigInteger bi = new java.math.BigInteger(b); - String s = bi.toString(16); - if (s.length() % 2 != 0) s = "0" + s; - // String s is the encrypted password - }}} - * '''!ColdFusion''' - {{{LCase(Hash( (user & ":" & realm & ":" & password) , "MD5")) - }}} - * '''Ruby''' - {{{require 'digest/md5' - Digest::MD5.hexdigest(user + ':' + realm + ':' + password) - }}} - * '''PostgreSQL''' ''(with the contrib/pgcrypto functions installed)'' - {{{ - encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex') - }}} -
