[rt-users] RT3 encryption
Scott T. Cameron
karn at routehero.com
Wed Nov 26 11:03:48 EST 2003
On Wed, Nov 26, 2003 at 07:59:15AM -0800, Robert Spier wrote:
>
> > Right. Do you know if there's a way for apache's 'htaccess'
> > mechanism to read a salt-less MD5 password? I haven't been able to
> > get this to work yet.
>
> I'm not sure it will.
>
> Definitely what it writes, is incompatible:
>
> The MD5 algorithm used by htpasswd is specific to the Apache
> software; passwords encrypted using it will not be usable with
> other Web servers.
> http://httpd.apache.org/docs-2.0/programs/htpasswd.html
>
> $ /home/perl/apache2/bin/htpasswd -bnm username password
> username:$apr1$YPiUc/..$jJcpU6953ESwoLsnVpaQq.
>
> Note the "type" of apr1.
>
> Linux generates:
> $1$MGw18b6V$GUmR55ftPBz0iWPkPAWUU1
>
> Longer term, RT should switch to salting its MD5 hashes. Or maybe
> some pepper. That's probably a 3.2 thing.
>
> Crypt::PasswdMD5 does both Linux/FreeBSD style MD5 and Apache
> style.. which leads to all sort of fun.
>
> But sadly, this doesn't help your immediate problem.
Thanks. This is more or less what I have been able to determine, but it's good to know I'm not doing something horribly wrong.
Interestingly enough, I've been able to get Linux/FreeBSD-style MD5 hashes to work fine with Apache's htaccess mechanism. Just have to force our users to go to a website and generate a password for them.
Scott
More information about the rt-users
mailing list