.htaccess authentication control via PHP

[timhil...@gmail.com]

Hi everyone,

I'm working on a project that requires multiple registered users to be
able to authenticate, and view an RSS feed. For securing an RSS feed,
the options are pretty slim, and so the basic .htaccess flavour of
authentication is pretty much the only way forward.

I've set up the necessary authentication files on the server side, and
that all works fine. What I need to do now, is create a script that
can modify the file containing valid usernames and passwords, so that
new users can be added automatically when necessary.

In principle this isn't a problem (as in, reading and writing to the
file isn't). The problem arises with the password encryption. You see,
the passwords are (obviously) encrypted before they're stored in the
file on the server. This is all fine and dandy when done directly via
the command line - but it seems that when I try to write to the file
via the PHP script, it doesn't encrypt the passwords in the same way.
And thus, when it comes to logging in, the valid password doesn't
match, and is rejected.

I have analysed the contents of the files - one created via the shell
htpasswd command, and one created via the PHP script, and I can
confirm that for the same password, the encryption "result" is
different.

Thus it must follow that the server is running a different encryption
algorithm to the one in the PHP script, which looks like this:

$thePW = crypt(trim($thePW),base64_encode(CRYPT_STD_DES));
return $thePW;

I have tried 2 or 3 pre-made classes, from:

http://www.thewebmasters.net/php/Htpasswd.phtml
http://www.weberdev.com/get_example-4178.html

But always get similar results - the way the password is encrypted
seems to be foreign to the server's native encryption method, and thus
the passwords never check out.

Would anybody be able to give me any advice on how one might get
around this. Is there anyway to determine the exact method of
encryption the server is using? Is there a standard way of doing this
via PHP that I'm just totally missing?

Any help would be greatly appreciated - thank you very much,

[Cem]

On 1 Apr., 16:12, timhillonl...@gmail.com wrote:
> Thus it must follow that the server is running a different encryption
> algorithm to the one in the PHP script, which looks like this:
>
> $thePW = crypt(trim($thePW),base64_encode(CRYPT_STD_DES));
> return $thePW;
>
> I have tried 2 or 3 pre-made classes, from:
>
> http://www.thewebmasters.net/php/Htpasswd.phtmlhttp://www.weberdev.com/get_example-4178.html

Arent you able to call htpasswd by exec or system? That would be my
way to solve it ... :(

Cheers,

Cem

[timhil...@gmail.com]

On 1 Apr, 23:24, Cem <action...@googlemail.com> wrote:
>
> Arent you able to call htpasswd by exec or system? That would be my
> way to solve it ... :(
>
> Cheers,
>
> Cem

Hi Cem, thanks for your response.

I had considered that, but what prevented me doing it was that the
htpasswd command to create a user is not just a single line - a
dialogue is required. You first enter:

htpasswd [path] username

...and then you're prompted to enter (and then confirm) a password. So
the problem is I have no idea how you'd be able to carry out this
dialogue via PHP - but please someone slap me silly if I'm being
dense!

Thanks!

[Boris Stumm]

timhil...@gmail.com wrote:
> I had considered that, but what prevented me doing it was that the
> htpasswd command to create a user is not just a single line - a
> dialogue is required. You first enter:
>
> htpasswd [path] username
>
> ...and then you're prompted to enter (and then confirm) a password. So
> the problem is I have no idea how you'd be able to carry out this
> dialogue via PHP - but please someone slap me silly if I'm being
> dense!

Have a look at the -b option of htpasswd.

[The Natural Philosopher]

Try this one: works for me.

function htadduser($filename,$logname, $password)
{
$logname=rtrim($logname); //strip any trailing spaces
$password=rtrim($password);
$fp=fopen($filename,"r+"); // open reading AND writing
if($fp)
{
while (!feof($fp))
{
$buffer = fgets($fp, 4096);
$username=explode(":",$buffer); //extract the actual username
if($logname==$username[0]) // can't add an existing user.
{
fclose($fp);
return -1;
}
}
// OK we are at the file end, and we haven't found an identical user.
// time to get an encrypted password
$salt.=chr(rand(64,126));
$salt.=chr(rand(64,126)); // two character salt to force DES
$hash=crypt($password,$salt);
fseek($fp, 0, SEEK_END); // make sure we ARE at the file end..
fprintf($fp,"%s:%s\n", $logname,$hash);
fclose ($fp);
return 0;
}
return -1; // no password file!
}
?>

[Toby A Inkster]

timhillonline wrote:

> htpasswd [path] username
>
> ...and then you're prompted to enter (and then confirm) a password. So
> the problem is I have no idea how you'd be able to carry out this
> dialogue via PHP - but please someone slap me silly if I'm being dense!

htpasswd -b [path] username password

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 6 days, 3:15.]

Cognition 0.1 Alpha 6
http://tobyinkster.co.uk/blog/2008/03/29/cognition-alpha6/

[timhil...@gmail.com]

On 2 Apr, 00:56, Toby A Inkster <usenet200...@tobyinkster.co.uk>
wrote:

> timhillonline wrote:
> > htpasswd [path] username
>
> > ...and then you're prompted to enter (and then confirm) a password. So
> > the problem is I have no idea how you'd be able to carry out this
> > dialogue via PHP - but please someone slap me silly if I'm being dense!
>
> htpasswd -b [path] username password

Awesome. That worked a treat!

Thank you so much Toby, and also everyone else who contributed!

You guys are terrific...