Re: Re: Cannot get Apache 2 basic authentication working with CRYPT on Win7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 4/30/2013 11:12 AM, Bo Berglund wrote:
> On Tue, 30 Apr 2013 10:31:07 -0400, Ben Johnson <ben@xxxxxxxxxxxxxxxx>
> wrote:
> 
>>
>>
>> On 4/30/2013 9:06 AM, Bo Berglund wrote:
>>> I have a local Apache 2.2 server on my development PC. It is running
>>> on Windows7X64.
>>> Some of our folders are protected and we use .htpasswd files to
>>> authenticate the users with CRYPT-ed passwords.
>>> THe whole website is version controlled in CVS and I work on a checked
>>> out copy of the website.
>>>
>>> Now I need to develop some PHP scripts and these need to know which
>>> user is logged on so for debugging I must get the authentication
>>> going.
>>> But so far I have been out of luck using the file with CRYPT:ed
>>> passwords.
>>>
>>> I discovered:
>>> If I use the htpasswd command to create a password on the Win7 box it
>>> seems to totally disregard the command line switch to make a CRYPT
>>> password, instead it always forces use of MD5.
>>>
>>> On the real server (at Network Solutions) the normal .htpasswd file
>>> works just fine.
>>>
>>> How can I make Apache2.2 on Win7X64 use the existing passwords so I
>>> can continue developing the PHP scripts?
>>>
>>>
>>
>> Hi, Bo,
>>
>> While I can't identify the cause of your issue readily, I can suggest a
>> fine alternative: use database authentication instead.
>>
>> Here's an excerpt from a blog comment that I wrote some time ago; it
>> should steer you in the right direction if you are open to my suggestion.
>>
>> From:
>> http://www.pitr.net/index.php/2007/08/08/internal-error-pcfg_openfile-called-with-null-filename/
>> ---------------------------------------------------------------
>> [...] Windows users do not have the ability to specify "AuthUserFile
>> /dev/null". Furthermore, that is an undesirable solution (as others have
>> noted). This is the appropriate method, provided as a complete example:
>>
>> <Directory />
>> 	Options FollowSymLinks
>> 	AllowOverride None
>> 	Order deny,allow
>> 	Deny from all
>> 	Satisfy all
>> 	AuthBasicProvider dbm
>> 	AuthDBMType SDBM
>> 	AuthName "Protected Area"
>> 	AuthType Basic
>> 	AuthDBMUserFile "D:/Program Files/Apache/passwords.dat"
>> 	require valid-user
>> </Directory>
>>
>> Obviously, "AuthBasicProvider" and "AuthDBMType" must reflect the
>> correct values for your system (available types for "AuthDBMType" are:
>> default|SDBM|GDBM|NDBM|DB). See
>> http://httpd.apache.org/docs/2.0/mod/mod_auth_dbm.html and
>> http://httpd.apache.org/docs/2.1/mod/mod_auth_basic.html for additional
>> information.
>>
>> The above example functions as expected with Apache 2.2.6 on Windows 7
>> x86. "passwords.dat" should be created with something like this:
>>
>>> D:\Program Files\apache\bin>htdbm -cs "D:\Program
>> Files\Apache\passwords.dat" yourname
>>
>> Note also that, according to the mod_auth_basic manual page (cited
>> above), setting "AuthBasicAuthoritative" to "Off" "... should only be
>> necessary when combining mod_auth_basic with third-party modules that
>> are not configured with the AuthBasicProvider directive."
>>
>> Thanks to everyone here for the assistance in getting this to work
>> properly (under Windows, no less).
>> ---------------------------------------------------------------
>>
>> Happy to answer any questions! Good luck!
>>
>> -Ben
> 
> Well,
> I cannot easily change the authentication method at all because the
> "real" website uses CRYPT passwords and we also have a lot of software
> in-house that updates these .htpasswd files with new user logins when
> new customers are granted access to the protected parts of the site.

Ah, I see. Yes, then the only short-term solution seems to be to resolve
the issue with .htpasswd files on Windows.

Nonetheless, you might suggest migrating the "live" server to some form
of database authentication in the future. It would be much simpler for
your in-house software to maintain and update a single database table,
rather than potentially hundreds of .htpassword and .htaccess files.

> I have no idea how I could generate MD5 passwords in my software so I
> am stuck with CRYPT (which I can create).
> Note that if this is changed I need to do the same on all of the
> protected folders on the real site...

Generating MD5 passwords should be trivial in any environment. If you
have a specific scripting language or similar, I'd be happy to provide
examples. However, based on what you say above, changing from CRYPT to
MD5 sounds like as much or more work as getting CRYPT to work on Windows.

> What I wanted to do was use my own Win7 PC with a mirror image of the
> website in such a way that I can test all aspects of the PHP scripts
> before committing to the real world site.
> So the mirror must be working the same way as the real site.

This is perfectly reasonable.

> Seems like I must get a Linux box and install Apache there (it is
> probably already installed out of the box) and then use that as a test
> tool. But then I can't directly test the files as they are edited,
> they have to be transferred over to the Linux server first, what a
> hassle!
> Sigh, have to think of another solution obviously.
> 

I wouldn't go that far. There has to be a way to make CRYPT work on
Windows. I'll do some more research (and attempt to get this working on
my own machine) and provide an update.

Also, I am able to corroborate the behavior you describe:

C:\Program Files\apache\bin>htpasswd -dc "C:\Program
Files\Apache\passwords-test.dat" yourname
Automatically using MD5 format.
New password: ******
Re-type new password: ******
Adding password for user yourname

More soon,

-Ben

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux