[rt-users] RT3 encryption

Robert Spier rspier at pobox.com
Wed Nov 26 10:59:15 EST 2003


> Right.  Do you know if there's a way for apache's 'htaccess'
> mechanism to read a salt-less MD5 password?  I haven't been able to
> get this to work yet.

I'm not sure it will.

Definitely what it writes, is incompatible:

    The MD5 algorithm used by htpasswd is specific to the Apache
    software; passwords encrypted using it will not be usable with
    other Web servers.
	http://httpd.apache.org/docs-2.0/programs/htpasswd.html

$ /home/perl/apache2/bin/htpasswd  -bnm username password
username:$apr1$YPiUc/..$jJcpU6953ESwoLsnVpaQq.

Note the "type" of apr1.

Linux generates:
    $1$MGw18b6V$GUmR55ftPBz0iWPkPAWUU1

Longer term, RT should switch to salting its MD5 hashes.  Or maybe
some pepper.  That's probably a 3.2 thing.

Crypt::PasswdMD5 does both Linux/FreeBSD style MD5 and Apache
style.. which leads to all sort of fun.

But sadly, this doesn't help your immediate problem.

-R





More information about the rt-users mailing list