Find the answer to your Linux question:
Results 1 to 5 of 5
So I have a htpasswd file, where i need users to be able to change their own passwords. I found an old project on sourceforge, HT Password Manager: HT Password ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2008
    Posts
    47

    Different encryption between PHP and htpasswd command?


    So I have a htpasswd file, where i need users to be able to change their own passwords.

    I found an old project on sourceforge, HT Password Manager:
    HT Password Manager | Free software downloads at SourceForge.net

    Loaded it up on the machine, pointed it at a test passwd file.

    Any user can log in using their set password. The issue startes when they CHANGE their password. I can see in the htpasswd file, the password has been changed. However they can no longer log in with what they have set the new password to. If i run htpasswd from the linux machine, i can log in again.

    Basically I am wondering if their is adifference between what the php script is calling, and what htpasswd is using?

    AFAIK htpasswd uses crypt() calls.
    The line from the php is: $data_pair[1] = crypt($_POST['newpass1'],CRYPT_STD_DES);

    As i dont know much about crypt or php i was hoping that i someone could tell me how to get these to match up.

    I am running debian 6.0.4

  2. #2
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,534
    I think you just need
    Code:
    $data_pair[1] = crypt($_POST['newpass1']);
    for things to work correctly with htpasswd.

    Also passing unvalidated POST data to a system command or SQL statement is just asking for the joy of fixing a very badly hacked server.
    What do we want?
    Time machines!

    When do we want 'em?
    Doesn't really matter does it!?


    The Fifth Continent

  3. #3
    Just Joined!
    Join Date
    Mar 2008
    Posts
    47
    Quote Originally Posted by elija View Post
    I think you just need
    Code:
    $data_pair[1] = crypt($_POST['newpass1']);
    for things to work correctly with htpasswd.
    Didnt work unfortunately, and i guess that is still the wrong encryption:
    Before:
    brian.omahony:r5NW.1fJNkM1c
    After:
    brian.omahony:$1$gpUZ/5EQ$5xaQAj7mPKEB3D60CKGl./




    Quote Originally Posted by elija View Post
    Also passing unvalidated POST data to a system command or SQL statement is just asking for the joy of fixing a very badly hacked server.
    I know. Thing is this system has a legacy application on which users havent changed their passwords in about 5 years. They all need to change them next week. Thankfully however, it is an internal system and goes no where near the internet.

  4. #4
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,534
    It may be worth removing the htpasswd that you installed and installing the Debian package.
    Code:
    sudo apt-get install apache2-utils
    As it's the Debian version it may use the same encrypion as the Debian PHP package
    What do we want?
    Time machines!

    When do we want 'em?
    Doesn't really matter does it!?


    The Fifth Continent

  5. #5
    Just Joined!
    Join Date
    Mar 2008
    Posts
    47
    Apologies for the delay, I decided to take some time off.

    I tried removing htpasswd and force installing apache2-utils [it was the same pkg version before, and after]. No change.

    I copied the folder over as is to a RHEL 5.6 box, and it works fine. So this is obviously an issue somewhere with debian. Im not sure where to go to try to troubleshoot this further as it is a pretty weird (and specific) problem. I eckon ill pop a mail off to the Debian list and see if they have any suggestions....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •