[rt-users] RT3 encryption

Bob Goldstein bobg at uic.edu
Wed Nov 26 11:29:39 EST 2003


  Maybe you could run crack on your existing hashes, and
  then re-encode any successes with the apache style MD5 :-)

  [I'm joking!  If you take this seriously, be sure to
  get written permission from your boss, and ask Randal Schwartz
  for advice first.]

  Another alternative might be to use ldap.  Many ldap servers
  (openldap for sure) can use MD5 with and without salt.
  You could have apache consult ldap, and have RT set to use
  $WebExternalAuth = 1.  Of course, you need to run the
  ldap server, but that could have other benefits
  depending on your environment.

     bobg

>
>> Right.  Do you know if there's a way for apache's 'htaccess'
>> mechanism to read a salt-less MD5 password?  I haven't been able to
>> get this to work yet.
>
>I'm not sure it will.
>
>Definitely what it writes, is incompatible:
>
>    The MD5 algorithm used by htpasswd is specific to the Apache
>    software; passwords encrypted using it will not be usable with
>    other Web servers.
>	http://httpd.apache.org/docs-2.0/programs/htpasswd.html
>
>$ /home/perl/apache2/bin/htpasswd  -bnm username password
>username:$apr1$YPiUc/..$jJcpU6953ESwoLsnVpaQq.
>
>Note the "type" of apr1.
>
>Linux generates:
>    $1$MGw18b6V$GUmR55ftPBz0iWPkPAWUU1
>
>Longer term, RT should switch to salting its MD5 hashes.  Or maybe
>some pepper.  That's probably a 3.2 thing.
>
>Crypt::PasswdMD5 does both Linux/FreeBSD style MD5 and Apache
>style.. which leads to all sort of fun.
>
>But sadly, this doesn't help your immediate problem.
>
>-R
>
>
>_______________________________________________
>rt-users mailing list
>rt-users at lists.fsck.com
>http://lists.fsck.com/mailman/listinfo/rt-users
>
>Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
>



More information about the rt-users mailing list