Problem with password encryption in htpasswd file.

Alright. Right now I am making a php script which will allow you to manage .htaccess and .htpasswd.


things are easy when you want to edit .htaccess file. but it gets tricky when i want to write username password combo in .htpasswd ( or watever filename) file.

i wasnt sure what to use. crypt or md5. then i found out that md5 is used on windows and crypt on linux.

i am on winxp platform. apache v.1.3 is what i am using.

now here is my problem.

when i use htpasswd exe to add /edit user to the password file it uses md5 even though i force it to use crypt by specifying -d choice. it uses md5 ONLY. but interesting thing is that when i use md5 in my php script to encrypt password, the encrypted versions are not same. its different from what htpasswd binary generates and as a result the user is added but he can not login as it says password is incorrect. similarly even though i tried using crypt that didnt worked either. certainly i wont like to use plain text option. so whats the problem here ?

also i am curious about how apache finds out that which user password is encrypted in which form ? md5/crypt or plain text ? does it check all the available options ?? i dont think that would be good idea.

though interesting thing is that the same script works on linux server without any probs. i can use any salt in crypt or i can even use md5, the crypted password is recognised for sure.

also i have seen that ppl are using crypt with any salt . so how apache can compare the crypted password w/o knowing the original salt ???

so how this password file mechanism works ??
and why my script works on linux and not on windows while i am doing same thing in each case ???

jd

p.s. : freebsd, listening ???

First off, I know nothing when it comes to Apache on Win32 environment. I also haven't tried Digest Authentication on UNIX.

>> so how apache can compare the crypted password w/o knowing the original salt ???

If they are the same, it returns 0. That's how it works on UNIX. Here is an example:

#!/usr/bin/perl

$passwd = 'clearpass';
# I just made this up
$encrypt = 'abUa1kZqa48q';

$crypt = crypt($passwd,$encrypt);
if ($crypt eq "$encrypt") {
print "Password Correct\n";
}
else {
print "Password Incorrect\n";
}

Of course, in this example, $crypt ne $encrypt and Password Incorrect would be return. You can test it on your Linux box, simply copy the encrypted password to $encrypt and use your real password for $passwd.

freebsd, thx for reply.

but still I am confused about this whole stuff.

I know that we compare the encrypted passwords. and I have no doubt about the code u posted.

my problem is that, for crypt function if i provide different salt value, the encrypted version would be different.

check this.

I have seen that I can use ANY salt value, but still Apache would be able to recognise the crypt version and would check if the passwords are same.

Ok, lets say this is my .htpasswd contents.

jdk:thrw9/0bpaXPM
freebsd:anzq.GYn/EIg.
zeus:6b2fe7430170509f2845af13bd12fa90

in this case, jdk's and freesd's plain text password is same, i.e. 'Text I want to encrypt' . but the encrypted versions are different coz i have used different salt for crypt. but still its amazing to know that Apache would figure this out and would allow both of us to login.

and still for say zeus , it would determine that its md5 of the plain text.

so what Apache does when it have this combo.

it checks against each encryption of plain text or what ? how this magic is being done, i would love to know !!!!

i hope i am more clear this time.

jd

I'm not sure I understand right but I'm sure that I'm not an expert :-).

Have you already read here
-->> http://httpd.apache.org/docs/programs/htpasswd.html
?!?
Maybe some infos there could help you.

such as:
.....
htpasswd encrypts passwords using either a version of MD5
modified for Apache, or the system's crypt() routine. Files
managed by htpasswd may contain both types of passwords;
some user records may have MD5-encrypted passwords while
others in the same file may have passwords encrypted with
crypt().
.....

About how this magic is done....I don't know!

hey pippo,

the link told me something new.

this is from that page,



so one of my problem is clear now.

but still I am unsure how apache would be able to encrypt plain text password to encrypted one without even knowing the salt which is used for crypt. or is it something like you can find salt from the encrypted version of pass ?? guess that might be the case . though according to me that wont be a good idea.

oops, i completely overlooked ur example freebsd. you mean to say that as salt i would provide the existing encrypted password and it would work ?

hm...i would have to see how crypt works and what is the use of salt.

this is really intersting.

jd

>> but the encrypted versions are different coz i have used different salt for crypt

You can use a randomly selected salt to generate an encrypt password like so:

$salt = 'ljsdflju39847Z240';
$encrypt = crypt($passwd,$salt);

But to validate against it (the example I posted), the original (randomly selected) salt is no longer needed. Instead, you use the encrypt version of your password as the salt like so:

$crypt = crypt($passwd,$encrypt);

That said, same password can have different encrypt password and is the same on all UNIX system with crypt available. So if you get the encrypt password from someone's system, you can brute-force attack it on your local system to find out the real password so long as:

12345 = crypt($passwd,12345); -> exit 0.

its all clear now !!! thx freebsd !!

jd