[rt-users] Re: Password Encryption Used By RT

Dave Ewart Dave.Ewart at cancer.org.uk
Mon Nov 11 04:13:01 EST 2002 

On Friday, 08.11.2002 at 09:51 -0800, John Gedeon wrote:

> At 08:52 AM 11/8/2002, Dave Ewart wrote:
> >On Friday, 08.11.2002 at 10:41 -0600, Rick Bradley wrote:
> >
> > > In short, if your system uses crypt() passwords then you should be
> > > able to cut and paste from the passwd file, otherwise no.
> >
> > Or, you could set RT to use "external" authentication, which means that
> > the authenticated user passed by Apache is accepted and used by RT.  You
> > can then create a password file, for use by Apache, containing the MD5
> > passwords from elsewhere.  If you'd like more details, let me know.
> 
> Yeah could you go into more detail?
> Thanks for the info

A couple of people have asked about this so ... try the following:

Set $WebExternalAuth = 'on';

in etc/config.pm

This will make Apache responsible for providing RT with an authenticated
username - "external" means external to RT, not necessarily on another
server, for example, as I understand.

in httpd.conf:

Alias /rt2/ /opt/rt2/WebRT/html/
PerlRequire /opt/rt2/bin/webmux.pl
<Location /rt2>
  SetHandler perl-script
  PerlHandler RT::Mason
  AuthType Basic
  AuthUserFile /usr/local/apache/conf/htpasswd.users
  AuthName "Use normal password"
  require valid-user
</Location>

Note the "AuthUserFile" - this is a file which is only used by RT and I
populate it and keep it up-to-date by using 'scp' to pull across the
shadow password file from our main central server (RT is installed on a
different box).

I have the following script run every 15 minutes or so, which updates
the file htpasswd.users from the shadow password file on the other box:

# ----------------------------------------------------------------------
#!/bin/bash
#
# Copy /etc/shadow and build password file for RT access

HERE=/usr/local/apache/conf
SCP=/usr/local/bin/scp
SHADOW_TARGET=root at centralserver.blah.com:/etc/shadow
SHADOW_LOCAL=$HERE/shadow.tmp
PASSWD_FILE=$HERE/htpasswd.users

$SCP -q $SHADOW_TARGET $SHADOW_LOCAL
cat $SHADOW_LOCAL | cut -f1-2 -d ':' | grep '\$1\$' > $PASSWD_FILE
rm $SHADOW_LOCAL
# ----------------------------------------------------------------------

Note that only the username and shadow password are required, hence the
'cut' - the 'grep' filters out only those password that are valid - they
all start '$1$' on my system, at least.

Hope that helps someone.  Don't forget, stop and then restart Apache
etc.

Dave.
-- 
Dave Ewart
Dave.Ewart at cancer.org.uk
Computing Manager, Epidemiology Unit, Oxford
Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370

More information about the rt-users mailing list