Hi All I'm not sure that I'm on exactly the correct mailing list here, but I figured it a good place to start, even it is just to get someone to guide me in the right direction. Some years ago I wrote web front-end for managing .htpasswd files. My client has been using this for years. Everything is written in php and I use crypt without a seed to encrypt the passwords. Basically what I do is to allow the user to create entries in the .htadmin file. They can also manage the .htpasswd file by editing and deleting entries. Everything worked very well for about 2 years at which point the passwords wouldn't work anymore. I couldn't figure out what was wrong and the client's ISP would help finding the fault and I couldn't reproduce the problem on my own servers. I then moved everything onto my own servers and everything worked again for several years. Unfortunately I then had to move onto rented web space where everything continued to work for another year or so and now I'm experiencing the same problem again. When the problem originally started I modified the scripts to keep a copy of the .htpasswd file with open passwords and I added a menu item to allow the user to re-submit the password file. The would encrypt all the passwords again and write them to the .htpasswd file and things would work again for a few days. Now however the thing breaks so often that we just can carry on resubmitting again. I have once again moved everything onto my servers and since last night I discovered one thing: If I use htpasswd to create an entry in a .htpasswd file, it will generate a different hash for the password everytime you run it. However, when you log in, it works, even thought the password in the .htpasswd file seemed to have change. My question in the first place then is: How on earth does htpasswd manage to authenticate if the password hash changes every time. My understanding of how authentication work is that the password is saved as a md5 or DES hash and when the user tries to log in he enters his clear password which is then encrypted and compared with the hash in the password file. Surely though the two hashes should be the same. If however a seed is used which is different every time the encrypting is done then we'll get a different password every time and they should be equal. Why then does apache still authenticate the user? My second question is: Did the way htpasswd and apache work change at some stage, or why did my scripts stop working after such a long time? The project is available in sourceforge at http://sourceforge.net/project/showfiles.php?group_id=62350. I would really appreciate any guidance on this problem. Kind Regards Jannetta --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|