Apache authentication (continued)
Hi All I've got the .htaccess files working now, thanks to Phil and I am now challenged for a username/password pair, however I still cannot get to the html and php files as the password for the user does not seem to be valid at that moment in time. I have experimented with the htpasswd command and have found that the encrypted password changes even though the same user and password is supplied. This happens unless the command is repeated quickly using htpasswd -np <user> <password> to show the result on screen. This suggests there is a time element in the encryption. Surely the encrypted password should be the same no matter when the command was executed? It seem obvious the client and server have different ideas what the encrypted password should be. Are there any other flags required to get this working? Regards Bill
On Thursday 19 Dec 2002 10:34 pm, Bill Antonia wrote:
Hi All
I've got the .htaccess files working now, thanks to Phil and I am now challenged for a username/password pair, however I still cannot get to the html and php files as the password for the user does not seem to be valid at that moment in time.
I have experimented with the htpasswd command and have found that the encrypted password changes even though the same user and password is supplied. This happens unless the command is repeated quickly using
htpasswd -np <user> <password>
to show the result on screen. This suggests there is a time element in the encryption. Surely the encrypted password should be the same no matter when the command was executed? It seem obvious the client and server have different ideas what the encrypted password should be. Are there any other flags required to get this working?
Regards Bill
Hi Bill, you may be right about time being a factor in the encryption of the password - I don't know how Linux generates random numbers. However, this is not your problem. Here's a quick overview of how (crypt) passwords work. When you create a new password it is encrypted using the crypt() library function. This function takes a 'salt' and a password, and then uses the salt encrypts the password. The resulting password is the salt followed by the 'crypt' ed password. htpasswd and other programs that use the crypt() library will randomly generate a salt when setting a new password. When checking an existing password, they will use the existing salt that is prefixed to the password. In fact, I think that you can pass the whole password and crypt() will strip it. Below is a piece of perl script that demonstrates this. (Taken from the perl manpages) $pwd = (getpwuid($<))[1]; system "stty -echo"; print "Password: "; chomp($word = <STDIN>); print "\n"; system "stty echo"; if (crypt($word, $pwd) ne $pwd) { die "Sorry...\n"; } else { print "ok\n"; } Back to your problem. What do you get on-screen; just the invalid password/try again? What do you get in the logs? What permissions do you have to the password file? What happens if you remove the file? -- Gary Stainburn This email does not contain private or confidential material as it may be snooped on by interested government parties for unknown and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
participants (2)
-
Bill Antonia
-
Gary Stainburn