From: Vincent Bray <noodl@apache.org>
Date: Sun, 19 Aug 2007 18:18:17 +0000 (+0000)
Subject: Description of password formats copied from Tom Donovan's work on the wiki
X-Git-Tag: 2.3.0~1589
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b635225f1ccc9f86d1d6f266a5f081a9bfc8f9a8;p=thirdparty%2Fapache%2Fhttpd.git

Description of password formats copied from Tom Donovan's work on the wiki

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@567450 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/misc/password_encryptions.html b/docs/manual/misc/password_encryptions.html
new file mode 100644
index 00000000000..1f357ebf83c
--- /dev/null
+++ b/docs/manual/misc/password_encryptions.html
@@ -0,0 +1,3 @@
+URI: password_encryptions.html.en
+Content-Language: en
+Content-type: text/html; charset=ISO-8859-1
diff --git a/docs/manual/misc/password_encryptions.html.en b/docs/manual/misc/password_encryptions.html.en
new file mode 100644
index 00000000000..f1836eede75
--- /dev/null
+++ b/docs/manual/misc/password_encryptions.html.en
@@ -0,0 +1,208 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
+        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+              This file is generated from xml source: DO NOT EDIT
+        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+      -->
+<title>Password Formats - Apache HTTP Server</title>
+<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
+<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
+<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
+<link href="../images/favicon.ico" rel="shortcut icon" /></head>
+<body id="manual-page"><div id="page-header">
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
+<p class="apache">Apache HTTP Server Version 2.3</p>
+<img alt="" src="../images/feather.gif" /></div>
+<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
+<div id="path">
+<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.3</a> &gt; <a href="./">Miscellaneous Documentation</a></div><div id="page-content"><div id="preamble"><h1>Password Formats</h1>
+<div class="toplang">
+<p><span>Available Languages: </span><a href="../en/misc/password_encryptions.html" title="English">&nbsp;en&nbsp;</a></p>
+</div>
+
+    <p>Notes about the password encryption formats generated and understood by
+    Apache.</p>
+  </div>
+<div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#basic">Basic Authentication</a></li>
+<li><img alt="" src="../images/down.gif" /> Digest Authentication</li>
+</ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="basic" id="basic">Basic Authentication</a></h2>
+
+    <p>There are four formats that Apache recognizes for basic-authentication
+    passwords. Note that not all formats work on every platform:</p>
+    
+    <dl>
+      <dt>PLAIN TEXT (i.e. <em>unencrypted</em>)</dt>
+      <dd>Windows, BEOS, &amp; Netware only.</dd>
+       
+       <dt>CRYPT</dt>
+       <dd>Unix only. Calls the Unix crypt(3) function with a randomly-generated
+       32-bit salt and the password.</dd>
+       
+       <dt>SHA1</dt>
+       <dd>"{SHA}" + Base64-encoded SHA-1 digest of the password.</dd>
+       
+       <dt>MD5</dt>
+       <dd>"$apr1$" + the result of an Apache-specific algorithm using an
+       iterated (1,000 times) MD5 digest of various combinations of a
+       randomly-generated 32-bit salt and the password. See the APR source file
+       <a href="http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup">apr_md5.c</a>
+       for the details of the algorithm.</dd>
+    </dl>
+    
+    <h3>Generating values with htpasswd</h3>
+      
+      <div class="example"><h3>MD5</h3><p><code>
+      $ htpasswd -nbm myName myPassword<br />
+      myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
+      </code></p></div>
+      
+      <div class="example"><h3>SHA1</h3><p><code>
+      $ htpasswd -nbs myName myPassword<br />
+      myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=
+      </code></p></div>
+      
+      <div class="example"><h3>CRYPT</h3><p><code>
+      $ htpasswd -nbd myName myPassword<br />
+      myName:rqXexS6ZhobKA
+      </code></p></div>
+      
+    
+    
+    <h3>Generating CRYPT and MD5 values with the OpenSSL
+             command-line program</h3>
+      
+      
+      <p>OpenSSL knows the Apache-specific MD5 algorithm.</p>
+      
+      <div class="example"><h3>MD5</h3><p><code>
+      $ openssl passwd -apr1 myPassword<br />
+      $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
+      </code></p></div>
+
+      <div class="example"><h3>CRYPT</h3><p><code>
+      openssl passwd -crypt myPassword<br />
+      qQ5vTYO3c8dsU
+      </code></p></div>
+    
+    
+    <h3>Validating CRYPT or MD5 passwords with the OpenSSL command
+             line program</h3>
+      
+      <p>The salt for a CRYPT password is the first two characters (as a
+      Base64-encoded binary value). To validate <code>myPassword</code> against
+      <code>rqXexS6ZhobKA</code></p>
+      
+      <div class="example"><h3>CRYPT</h3><p><code>
+      $ openssl passwd -crypt -salt rq myPassword<br />
+      Warning: truncating password to 8 characters<br />
+      rqXexS6ZhobKA
+      </code></p></div>
+      
+      <p>Note that using <code>myPasswo</code> instead of
+      <code>myPassword</code> will produce the same result because only the
+      first 8 characters of CRYPT passwords are considered.</p>
+      
+      <p>The salt for an MD5 password is between <code>$apr1$</code> and the
+      following <code>$</code> (as a Base64-encoded binary value - max 8 chars)
+      To validate <code>myPassword</code> against
+      <code>$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/</code></p>
+      
+      <div class="example"><h3>MD5</h3><p><code>
+      $ openssl passwd -apr1 -salt r31..... myPassword<br />
+      $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
+      </code></p></div>
+    
+    
+    <h3>Database password fields for mod_dbd</h3>
+      <p>The SHA1 variant is probably the most useful format for DBD
+      authentication. Since the SHA1-hash and Base64-encoding functions are
+      commonly available, other software can populate a database with encrypted
+      passwords which are usable by Apache basic authentication.</p>
+      
+      <p>To create Apache SHA1-variant basic-authentication passwords in various
+      languages:</p>
+      
+      <div class="example"><h3>PHP</h3><p><code>
+      '{SHA}' . base64_encode(sha1($password, TRUE))
+      </code></p></div>
+      
+      <div class="example"><h3>Java</h3><p><code>
+      "{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes()))
+      </code></p></div>
+      
+      <div class="example"><h3>ColdFusion</h3><p><code>
+      "{SHA}" &amp; ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex"))
+      </code></p></div>
+      
+      <div class="example"><h3>Ruby</h3><p><code>
+      require 'digest/sha1'<br />
+      require 'base64'<br />
+      '{SHA}' + Base64.encode64(Digest::SHA1.digest(password))
+      </code></p></div>
+      
+      <div class="example"><h3>C or C++</h3><p><code>
+      Use the APR function: apr_sha1_base64
+      </code></p></div>
+      
+      <div class="example"><h3>PostgreSQL (with the contrib/pgcrypto functions
+               installed)</h3><p><code>
+        
+        '{SHA}'||encode(digest(password,'sha1'),'base64')
+      </code></p></div>
+    
+    
+  </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2>Digest Authentication</h2>
+    <p>There is only one format which Apache recognizes for
+    digest-authentication passwords. This format is the MD5 hash of the string
+    <code>user:realm:password</code> as a 32-character string of hexadecimal
+    digits. <code>realm</code> is the Authorization Realm argument to the
+    <code class="directive"><a href="../mod/mod_authn_core.html#authname">AuthName</a></code> directive in
+    httpd.conf.</p>
+    
+    <h3>Database password fields for mod_dbd</h3>
+      
+      <p>Since the MD5-hash function is commonly available, other software can
+      populate a database with encrypted passwords which are usable by Apache
+      digest authentication.</p>
+      
+      <p>To create Apache digest-authentication passwords in various
+      languages:</p>
+      
+      <div class="example"><h3>PHP</h3><p><code>
+      md5($user . ':' . $realm . ':' .$password)
+      </code></p></div>
+      
+      <div class="example"><h3>Java</h3><p><code>
+      byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());<br />
+      java.math.BigInteger bi = new java.math.BigInteger(b);<br />
+      String s = bi.toString(16);<br />
+      if (s.length() % 2 != 0)<br />
+      <span class="indent">
+        s = "0" + s;
+      </span>
+      // String s is the digest hash
+      </code></p></div>
+      
+      <div class="example"><h3>ColdFusion</h3><p><code>
+      LCase(Hash( (user &amp; ":" &amp; realm &amp; ":" &amp; password) , "MD5"))
+      </code></p></div>
+      
+      <div class="example"><h3>Ruby</h3><p><code>
+      require 'digest/md5'<br />
+      Digest::MD5.hexdigest(user + ':' + realm + ':' + password)
+      </code></p></div>
+      
+    
+  </div></div>
+<div class="bottomlang">
+<p><span>Available Languages: </span><a href="../en/misc/password_encryptions.html" title="English">&nbsp;en&nbsp;</a></p>
+</div><div id="footer">
+<p class="apache">Copyright 2006 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
+</body></html>
\ No newline at end of file
diff --git a/docs/manual/misc/password_encryptions.xml b/docs/manual/misc/password_encryptions.xml
new file mode 100644
index 00000000000..91d32c788bd
--- /dev/null
+++ b/docs/manual/misc/password_encryptions.xml
@@ -0,0 +1,205 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<!-- $LastChangedRevision: $ -->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements.  See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manualpage metafile="password_encryptions.xml.meta">
+  <parentdocument href="./">Miscellaneous Documentation</parentdocument>
+  
+  <title>Password Formats</title>
+  
+  <summary>
+    <p>Notes about the password encryption formats generated and understood by
+    Apache.</p>
+  </summary>
+  
+  <section id="basic"><title>Basic Authentication</title>
+
+    <p>There are four formats that Apache recognizes for basic-authentication
+    passwords. Note that not all formats work on every platform:</p>
+    
+    <dl>
+      <dt>PLAIN TEXT (i.e. <em>unencrypted</em>)</dt>
+      <dd>Windows, BEOS, &amp; Netware only.</dd>
+       
+       <dt>CRYPT</dt>
+       <dd>Unix only. Calls the Unix crypt(3) function with a randomly-generated
+       32-bit salt and the password.</dd>
+       
+       <dt>SHA1</dt>
+       <dd>"{SHA}" + Base64-encoded SHA-1 digest of the password.</dd>
+       
+       <dt>MD5</dt>
+       <dd>"$apr1$" + the result of an Apache-specific algorithm using an
+       iterated (1,000 times) MD5 digest of various combinations of a
+       randomly-generated 32-bit salt and the password. See the APR source file
+       <a href="http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup">apr_md5.c</a>
+       for the details of the algorithm.</dd>
+    </dl>
+    
+    <section><title>Generating values with htpasswd</title>
+      
+      <example><title>MD5</title>
+      $ htpasswd -nbm myName myPassword<br />
+      myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
+      </example>
+      
+      <example><title>SHA1</title>
+      $ htpasswd -nbs myName myPassword<br />
+      myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=
+      </example>
+      
+      <example><title>CRYPT</title>
+      $ htpasswd -nbd myName myPassword<br />
+      myName:rqXexS6ZhobKA
+      </example>
+      
+    </section>
+    
+    <section>
+      <title>Generating CRYPT and MD5 values with the OpenSSL
+             command-line program</title>
+      
+      <p>OpenSSL knows the Apache-specific MD5 algorithm.</p>
+      
+      <example><title>MD5</title>
+      $ openssl passwd -apr1 myPassword<br />
+      $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
+      </example>
+
+      <example><title>CRYPT</title>
+      openssl passwd -crypt myPassword<br />
+      qQ5vTYO3c8dsU
+      </example>
+    </section>
+    
+    <section>
+      <title>Validating CRYPT or MD5 passwords with the OpenSSL command
+             line program</title>
+      <p>The salt for a CRYPT password is the first two characters (as a
+      Base64-encoded binary value). To validate <code>myPassword</code> against
+      <code>rqXexS6ZhobKA</code></p>
+      
+      <example><title>CRYPT</title>
+      $ openssl passwd -crypt -salt rq myPassword<br />
+      Warning: truncating password to 8 characters<br />
+      rqXexS6ZhobKA
+      </example>
+      
+      <p>Note that using <code>myPasswo</code> instead of
+      <code>myPassword</code> will produce the same result because only the
+      first 8 characters of CRYPT passwords are considered.</p>
+      
+      <p>The salt for an MD5 password is between <code>$apr1$</code> and the
+      following <code>$</code> (as a Base64-encoded binary value - max 8 chars)
+      To validate <code>myPassword</code> against
+      <code>$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/</code></p>
+      
+      <example><title>MD5</title>
+      $ openssl passwd -apr1 -salt r31..... myPassword<br />
+      $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
+      </example>
+    </section>
+    
+    <section><title>Database password fields for mod_dbd</title>
+      <p>The SHA1 variant is probably the most useful format for DBD
+      authentication. Since the SHA1-hash and Base64-encoding functions are
+      commonly available, other software can populate a database with encrypted
+      passwords that are usable by Apache basic authentication.</p>
+      
+      <p>To create Apache SHA1-variant basic-authentication passwords in various
+      languages:</p>
+      
+      <example><title>PHP</title>
+      '{SHA}' . base64_encode(sha1($password, TRUE))
+      </example>
+      
+      <example><title>Java</title>
+      "{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes()))
+      </example>
+      
+      <example><title>ColdFusion</title>
+      "{SHA}" &amp; ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex"))
+      </example>
+      
+      <example><title>Ruby</title>
+      require 'digest/sha1'<br />
+      require 'base64'<br />
+      '{SHA}' + Base64.encode64(Digest::SHA1.digest(password))
+      </example>
+      
+      <example><title>C or C++</title>
+      Use the APR function: apr_sha1_base64
+      </example>
+      
+      <example>
+        <title>PostgreSQL (with the contrib/pgcrypto functions
+               installed)</title>
+        '{SHA}'||encode(digest(password,'sha1'),'base64')
+      </example>
+    </section>
+    
+  </section>
+  
+  <section><title>Digest Authentication</title>
+    <p>There is only one format that Apache recognizes for
+    digest-authentication passwords. This format is the MD5 hash of the string
+    <code>user:realm:password</code> as a 32-character string of hexadecimal
+    digits. <code>realm</code> is the Authorization Realm argument to the
+    <directive module="mod_authn_core">AuthName</directive> directive in
+    httpd.conf.</p>
+    
+    <section><title>Database password fields for mod_dbd</title>
+      
+      <p>Since the MD5-hash function is commonly available, other software can
+      populate a database with encrypted passwords that are usable by Apache
+      digest authentication.</p>
+      
+      <p>To create Apache digest-authentication passwords in various
+      languages:</p>
+      
+      <example><title>PHP</title>
+      md5($user . ':' . $realm . ':' .$password)
+      </example>
+      
+      <example><title>Java</title>
+      byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());<br />
+      java.math.BigInteger bi = new java.math.BigInteger(b);<br />
+      String s = bi.toString(16);<br />
+      if (s.length() % 2 != 0)<br />
+      <indent>
+        s = "0" + s;
+      </indent>
+      // String s is the digest hash
+      </example>
+      
+      <example><title>ColdFusion</title>
+      LCase(Hash( (user &amp; ":" &amp; realm &amp; ":" &amp; password) , "MD5"))
+      </example>
+      
+      <example><title>Ruby</title>
+      require 'digest/md5'<br />
+      Digest::MD5.hexdigest(user + ':' + realm + ':' + password)
+      </example>
+      
+    </section>
+  </section>
+  
+</manualpage>
\ No newline at end of file
diff --git a/docs/manual/misc/password_encryptions.xml.meta b/docs/manual/misc/password_encryptions.xml.meta
new file mode 100644
index 00000000000..35c4091e804
--- /dev/null
+++ b/docs/manual/misc/password_encryptions.xml.meta
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+
+<metafile>
+  <basename>password_encryptions</basename>
+  <path>/misc/</path>
+  <relpath>..</relpath>
+
+  <variants>
+    <variant>en</variant>
+  </variants>
+</metafile>