Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

(exotic?) Apache authentication problem in Win32

13 views
Skip to first unread message

Wayne Morris

unread,
Feb 9, 2013, 4:43:15 AM2/9/13
to
I am trying to write a GUI user/group manager for Apache. The server runs on one machine, but maintenance is done from another. I wrote my own function to make MD5 hashes. Apache wouldn't accept them. So, I did a rewrite and shelled out to htpasswd and let it create the hashes. Still a no go. So, I did an experiment.

I used htpasswd to create a 4-user passwd file on my local machine, then cut pasted the file into the location on the remote server Apache expected to find it. Apache would not authenticate anyone.

Finally, I used htpasswd from my local machine, but created the file in place on the remote server. THAT worked.

So, question: what is the difference? Does where you create the file have an effect on the hashes? Why, and what effect? If the previous answer is yes then how can one create a hash that can be inserted into the Apache passwd file and have it work? Any help here would be greatly appreciated. Thanks in advance.

- wm6...@gmail.com

$Bill

unread,
Feb 9, 2013, 6:47:05 PM2/9/13
to
Are the machines similar (same OS/architecture) ? What are they ?

Have you dumped the files in hex and compared them ?

I've created 'crypt' passwds on Windoze machines using a Perl script or
htpasswd and used them on UNIX boxes (Website) with no problems - never
tried MD5 exc on local Windoze box. I use binary mode on Windoze text
files though (no CR - just LF line terminators) in case that's an issue
between OSs.

Make a phoney passwd file and post a hexdump (from each machine) if you
like along with the real passwd you used and I can at least try to match
it on my machines and see what happens.

Wayne Morris

unread,
Feb 11, 2013, 10:22:05 PM2/11/13
to
Thank you very much for your reply. Let me see if I can answer you questions... Stand by to get confused...


> Are the machines similar (same OS/architecture) ? What are they ?
>
Both machines are Intel x86 machines (Pentium Core Duo) running Windows XP Professional SP3.

>
> Have you dumped the files in hex and compared them ?
>
Yes. Doesn't help. MD5 hashes are never the same twice. That is why the 'salt is saved along with password. I suspect that the path/directory name is being used to form part of the random element of the 'salt', but that should't make it not work since the 'salt' is saved along with the password hash. The format is
$apr1$salt$hash. For example:
$apr1$RcySkga0$WCboL2X8WtrDgwqq6Fn8Z1 .
Thay way the same 'salt' can be used to create the hash for verification.
>
> I've created 'crypt' passwds on Windoze machines using a Perl script or
>
> htpasswd and used them on UNIX boxes (Website) with no problems - never
>
> tried MD5 exc on local Windoze box. I use binary mode on Windoze text

On the current Windows version of htpasswd, even if you specify UNIX crypt it informs you that it is using MD5 instead. And if you say to use SHA1 then it will, but then Apache barfs. I just love Windblows. Thinking about blowing Windows off the server and installing Linux.

> files though (no CR - just LF line terminators) in case that's an issue
>
> between OSs.

Yep. I tried that one too. I've had that problem before.
>
>
>
> Make a phoney passwd file and post a hexdump (from each machine) if you
>
> like along with the real passwd you used and I can at least try to match
>
> it on my machines and see what happens.

I think I'll solve the problem in the short run by just shelling out to htpasswd and letting it modify the working file (since I know that works). Then I can read the password back into my my program. Yeah, it's ugly, but it'll work until I can figure out the problem. Am going to download the Apache source and look at the authentication. Hopefully the C++ code isn't seriously obfuscated. Still may end up with Linux...

Appreciate the suggestions.

- wm6...@gmail.com

$Bill

unread,
Feb 12, 2013, 3:20:07 AM2/12/13
to
On 2/11/2013 19:22, Wayne Morris wrote:
> Thank you very much for your reply. Let me see if I can answer you questions... Stand by to get confused...

You could do it in a CGI script on the server. Perl has a native 'crypt'
function and a Digest::MD5 module too (which I used to create my passwords).
Not sure about PHP, etc. I do almost all of my web server code in Perl
including using templates offline to build the pages.

Good luck.

Code snippets:

my $crypt_passwd;
if ($md5) {
my $ctx = Digest::MD5->new;
$ctx->add($passwd);
$crypt_passwd = $ctx->hexdigest;
} else {
$crypt_passwd = crypt_passwd ($passwd);
}

...

my @legal_enc = ('.', '/', '0'..'9', 'A'..'Z', 'a'..'z'); # legal encrypted chrs

...

#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

sub crypt_passwd { # $crypted_passwd = crypt_passwd ($plainpasswd [, $salt]);
my $passwd = shift;
my $salt;

# if salt supplied

if (defined $_[0]) {

$salt = substr $_[0], 0, 2; # get first 2 chars for salt

# else create a salt using time, pid and rand

} else {

if ($chk_only) {
$salt = substr $enc_passwd, 0, 2; # get first 2 for salt
} else {
my $tmp = (time + $$) % 65536;
srand ($tmp);
$salt = $legal_enc[sprintf "%u", rand (@legal_enc)];
$salt .= $legal_enc[sprintf "%u", rand (@legal_enc)];
}
}

my $new_passwd = crypt ($passwd, $salt);
return $new_passwd;

}


0 new messages