Re: authn_dbd: what format for encrypted password?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tom Donovan wrote:
Phil Endecott wrote:
Dear Experts,

I'm setting up mod_authn_dbd for the first time (having previously used the 3rd-party mod_auth_pgsql with apache2.0) and I'm unsure how the passwords should be encoded in the database. The docs at http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html just say:

  "The query must take a single string (typically SQL varchar) argument (username),
   and return a single value (encrypted password)."

Do I have a choice of encryption formats? How do I tell it which format I have used? (Is there some more documentation somewhere that I have missed?)

There are four formats that Apache recognizes for passwords.
Note that not all four work on every platform:

1. PLAIN TEXT (i.e. unencrypted) passwords:
  Windows, BEOS, & Netware only.

2. CRYPT passwords:
  Unix only.
  Calls the Unix crypt(3) function with a
  randomly-generated 32-bit salt and the password

3. SHA1 passwords:
  "{SHA}" + Base64-encoded SHA-1 digest of the password

4. MD5 passwords:
  "$apr1$" + the result of an Apache-specific algorithm
  using an iterated (1,000 times) MD5 digest of various
  combinations of a randomly-generated 32-bit salt
  and the password. See source file apr-util/crypto/apr_md5.c
  for the details of the algorithm.

Thanks Tom.  I now have it working, something like this:

# You need the pgcrypto contrib package to get SHA1:
apt-get install postgresql-contrib
su postgres psql -f /usr/share/postgresql/8.2/contrib/pgcrypto.sql

# Configure DBD in the virtualhost:
DBDriver pgsql
DBDParams "dbname=secret user=secret"

<whinge>
The Apache docs could list the available tokens for the parameter
string, or at least link to
http://www.postgresql.org/docs/8.2/static/libpq-connect.html.  I had
mis-remembered it and wrote "db=secret", which caused the following
utterly useless error message:

[Sat Aug 18 19:17:17 2007] [error] [client 8.6.8.19] Error looking up
foo in database

Does libpq really not return any more useful error information that
could be included here?  What does PQerrorMessage return?
</whinge>

# Set up the query to return the SHA1 of the password:
AuthDBDUserPWQuery "select
'{SHA}'||encode(digest(decode(password_b64,'base64'),','sha1'),'base64')
from users where username=$1"

<another whinge>
I could query why I'm not allowed to use plain text or base64
passwords.  Like very many low-security sites I store passwords in a
form that allows me to implement a "forgotten your password?  click
here and we'll email it to you" feature.  But I suspect that it's the
sort of question that would trigger some strong opinions, and I don't
want to annoy anyone because I think I'll have some more questions for
you all soon...
</another whinge>

# The rest of the configuration:
AuthName "secret"
AuthType basic
AuthBasicProvider dbd
require valid-user

..and now it seems to work.


Joshua wrote:
How about making a page on wiki.apache.org/httpd/ for that?

The information that Tom supplied really ought to be in the main docs.
Is there a migration route from the wiki to the main documentation?

Laurent wrote:
My only advice is to not use it as it doesn't work :-(

Well it seems to be working for me, so far.  In your bug report you wrote:
According to PostgreSQL log, it seems the connection hasn't a "working" status (expired ?)

Have you set up postgres to time out connections?  If you have, try
disabling that.


Regards,

Phil.








---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux