Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: How Apache Encrypted Passwords really work |
|
| Author |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA
|
 Posted: Sun 26 Aug '07 4:17 Post subject: How Apache Encrypted Passwords really work |
 |
|
I have needed to figure out the way Apache encrypted passwords work from time-to-time, especially using the new DBD database stuff for authentication.
I contributed my notes to the Apache WIKI, but since it takes a while for this to work its way into the Apache docs, I'll post the info here too.
-tom-
-------------------------------------------------------------------------
Basic Authentication
There are four formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform:
1. PLAIN TEXT (i.e. unencrypted) passwords: Windows, BEOS, & Netware only.
2. CRYPT passwords: Unix only. Uses the traditional Unix crypt(3) function with a random 32-bit salt (only 12 bits used) and the first 8 characters of the password.
3. SHA1 passwords: "{SHA}" + Base64-encoded SHA-1 digest of the password.
4. MD5 passwords: "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file apr_md5.c for the details of the algorithm.
The htpasswd program can be used to generate values
MD5 | Code: |
htpasswd -nbm myName myPassword
myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
|
SHA1 | Code: |
htpasswd -nbs myName myPassword
myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=
|
CRYPT | Code: |
htpasswd -nbd myName myPassword
myName:rqXexS6ZhobKA
|
The OpenSSL command-line program can also be used to generate CRYPT and MD5 values
OpenSSL knows the Apache-specific MD5 algorithm.
MD5 | Code: |
openssl passwd -apr1 myPassword
$apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
|
CRYPT | Code: |
openssl passwd -crypt myPassword
qQ5vTYO3c8dsU
|
The OpenSSL command line program can be used to validate CRYPT or MD5 passwords
CRYPT
The salt for a CRYPT password is the first two characters (converted to a binary value).
To validate myPassword against rqXexS6ZhobKA
| Code: |
openssl passwd -crypt -salt rq myPassword
Warning: truncating password to 8 characters
rqXexS6ZhobKA
|
Note that using myPasswo instead of myPassword will produce the same result because only the first 8 characters of CRYPT passwords are considered.
MD5
The salt for an MD5 password is between $apr1$ and the following $ (converted to a binary value - max 8 chars).
To validate myPassword against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
| Code: |
openssl passwd -apr1 -salt r31..... myPassword
$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
|
Database password fields for mod_dbd
The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1 and Base64 functions are commonly available, other software can populate a database with encrypted passwords which are usable by Apache basic authentication.
To create Apache SHA1-variant basic-authentication passwords in other languages
PHP | Code: |
'{SHA}' . base64_encode(sha1($password, TRUE)) |
Java | Code: |
"{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes())) |
ColdFusion | Code: |
"{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex")) |
Ruby | Code: |
require 'digest/sha1'
require 'base64'
'{SHA}' + Base64.encode64(Digest::SHA1.digest(password)) |
C or C++ | Code: |
void apr_sha1_base64(const char *clear, int len, char *out) |
PostgreSQL (with the contrib/pgcrypto functions installed) | Code: |
'{SHA}'||encode(digest(password,'sha1'),'base64') |
Digest Authentication
Apache only recognizes one format for digest-authentication passwords - the MD5 hash of the string user:realm:password as a 32-character string of hexadecimal digits.
realm is the Authorization Realm argument to the AuthName directive.
Database password fields for mod_dbd
Since the MD5 function is commonly available, other software can populate a database with encrypted passwords which are usable by Apache digest authentication.
To create Apache digest-authentication passwords in other languages
PHP | Code: |
md5($user . ':' . $realm . ':' .$password) |
Java | Code: |
byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());
java.math.BigInteger bi = new java.math.BigInteger(b);
String s = bi.toString(16);
if (s.length() % 2 != 0) s = "0" + s;
// String s is the encrypted password |
ColdFusion | Code: |
LCase(Hash( (user & ":" & realm & ":" & password) , "MD5")) |
Ruby | Code: |
require 'digest/md5'
Digest::MD5.hexdigest(user + ':' + realm + ':' + password) |
PostgreSQL (with the contrib/pgcrypto functions installed) | Code: |
encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex') |
|
|
| Back to top |
|
|
|
|
|
|
