Sounds good to me.
On 4/30/2013 11:55 AM, Bo Berglund wrote:
> On Tue, 30 Apr 2013 11:36:47 -0400, Ben Johnson <ben@xxxxxxxxxxxxxxxx>
> wrote:
>
>>> Well,
>>> I cannot easily change the authentication method at all because the
>>> "real" website uses CRYPT passwords and we also have a lot of software
>>> in-house that updates these .htpasswd files with new user logins when
>>> new customers are granted access to the protected parts of the site.
>>
>> Ah, I see. Yes, then the only short-term solution seems to be to resolve
>> the issue with .htpasswd files on Windows.
>
> What I can do is to replace the .htpasswd file with for example
> passwords in the .htaccess file and then put a few known test users
> into that using the htpasswd command, which generates md5 hashes.
> Then I can use the test site on my PC and the only thing I must not do
> is commit the changed .htaccess file to CVS....
Understood.
>> Nonetheless, you might suggest migrating the "live" server to some form
>> of database authentication in the future. It would be much simpler for
>> your in-house software to maintain and update a single database table,
>> rather than potentially hundreds of .htpassword and .htaccess files.
>
> I guess so, but then I first have to get comfortable using databases
> on the website...
Ah, right. Well, it seems that I stand corrected: it does *not* seem to
>>> I have no idea how I could generate MD5 passwords in my software so I
>>> am stuck with CRYPT (which I can create).
>>> Note that if this is changed I need to do the same on all of the
>>> protected folders on the real site...
>>
>> Generating MD5 passwords should be trivial in any environment. If you
>> have a specific scripting language or similar, I'd be happy to provide
>> examples. However, based on what you say above, changing from CRYPT to
>> MD5 sounds like as much or more work as getting CRYPT to work on Windows.
>
> I could probably call the Apache htpasswd program from within my own
> program and supply it with parameter -c to create a new file and then
> I read that back. Like this:
> htpasswd.exe -cb passwordfile username password
>
>>
>> I wouldn't go that far. There has to be a way to make CRYPT work on
>> Windows. I'll do some more research (and attempt to get this working on
>> my own machine) and provide an update.
>>
>
> The problem is getting Apache on Win7 to recognize CRYPT:ed passwords.
> Creating them is no big deal, I already have software components for
> that. But getting Apache to read them is....
be possible to make Apache read crypted passwords on Windows:
http://httpd.apache.org/docs/2.2/misc/password_encryptions.html#basic
CRYPT
Unix only. Uses the traditional Unix crypt(3) function with a
randomly-generated 32-bit salt (only 12 bits used) and the first 8
characters of the password.
I'm sure there is a good reason. I have yet to see ASF do anything
> I cannot understand why they left that out of Apache when compiling
> for Windows....
>
>
without one.
Maybe someone else can articulate the rationale.
Bummer!
-Ben
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|