On 4/30/2013 11:55 AM, Bo Berglund wrote: > On Tue, 30 Apr 2013 11:36:47 -0400, Ben Johnson <ben@xxxxxxxxxxxxxxxx> > wrote: > >>> Well, >>> I cannot easily change the authentication method at all because the >>> "real" website uses CRYPT passwords and we also have a lot of software >>> in-house that updates these .htpasswd files with new user logins when >>> new customers are granted access to the protected parts of the site. >> >> Ah, I see. Yes, then the only short-term solution seems to be to resolve >> the issue with .htpasswd files on Windows. > > What I can do is to replace the .htpasswd file with for example > passwords in the .htaccess file and then put a few known test users > into that using the htpasswd command, which generates md5 hashes. > Then I can use the test site on my PC and the only thing I must not do > is commit the changed .htaccess file to CVS.... Sounds good to me. >> Nonetheless, you might suggest migrating the "live" server to some form >> of database authentication in the future. It would be much simpler for >> your in-house software to maintain and update a single database table, >> rather than potentially hundreds of .htpassword and .htaccess files. > > I guess so, but then I first have to get comfortable using databases > on the website... Understood. >>> I have no idea how I could generate MD5 passwords in my software so I >>> am stuck with CRYPT (which I can create). >>> Note that if this is changed I need to do the same on all of the >>> protected folders on the real site... >> >> Generating MD5 passwords should be trivial in any environment. If you >> have a specific scripting language or similar, I'd be happy to provide >> examples. However, based on what you say above, changing from CRYPT to >> MD5 sounds like as much or more work as getting CRYPT to work on Windows. > > I could probably call the Apache htpasswd program from within my own > program and supply it with parameter -c to create a new file and then > I read that back. Like this: > htpasswd.exe -cb passwordfile username password > >> >> I wouldn't go that far. There has to be a way to make CRYPT work on >> Windows. I'll do some more research (and attempt to get this working on >> my own machine) and provide an update. >> > > The problem is getting Apache on Win7 to recognize CRYPT:ed passwords. > Creating them is no big deal, I already have software components for > that. But getting Apache to read them is.... Ah, right. Well, it seems that I stand corrected: it does *not* seem to be possible to make Apache read crypted passwords on Windows: http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic CRYPT Unix only. Uses the traditional Unix crypt(3) function with a randomly-generated 32-bit salt (only 12 bits used) and the first 8 characters of the password. > I cannot understand why they left that out of Apache when compiling > for Windows.... > > I'm sure there is a good reason. I have yet to see ASF do anything without one. Maybe someone else can articulate the rationale. Bummer! -Ben --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|