From: Vincent Bray Date: Sun, 9 Sep 2007 22:31:40 +0000 (+0000) Subject: Copy new password formats document from trunk X-Git-Tag: 2.2.7~440 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe291c24d7dfd4eed6f5547d05ef1c9bd78476b5;p=thirdparty%2Fapache%2Fhttpd.git Copy new password formats document from trunk git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@574089 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/howto/auth.html.en b/docs/manual/howto/auth.html.en index 7dbb27434a3..228ac970bd7 100644 --- a/docs/manual/howto/auth.html.en +++ b/docs/manual/howto/auth.html.en @@ -377,7 +377,11 @@ person in contain some more information about how this all works. mod_authn_alias can also help in simplifying certain authentication configurations.

- + +

The various ciphers supported by Apache for authentication data are + explained in Password + Encryptions.

+

And you may want to look at the Access Control howto, which discusses a number of related topics.

diff --git a/docs/manual/howto/auth.xml b/docs/manual/howto/auth.xml index 36beabc6e66..c9bcc69bf57 100644 --- a/docs/manual/howto/auth.xml +++ b/docs/manual/howto/auth.xml @@ -377,7 +377,11 @@ person in contain some more information about how this all works. mod_authn_alias can also help in simplifying certain authentication configurations.

- + +

The various ciphers supported by Apache for authentication data are + explained in Password + Encryptions.

+

And you may want to look at the Access Control howto, which discusses a number of related topics.

diff --git a/docs/manual/misc/index.html.en b/docs/manual/misc/index.html.en index ae5c39dcbf9..f730fd2b0b8 100644 --- a/docs/manual/misc/index.html.en +++ b/docs/manual/misc/index.html.en @@ -67,6 +67,13 @@

This document acts as a reference page for most of the relevant standards that Apache follows.

+ +
Password Encryption Formats
+ +
+

Discussion of the various ciphers supported by Apache for + authentication purposes.

+
diff --git a/docs/manual/misc/index.xml b/docs/manual/misc/index.xml index 9f0c8c446cf..e59da6fdf68 100644 --- a/docs/manual/misc/index.xml +++ b/docs/manual/misc/index.xml @@ -71,6 +71,13 @@

This document acts as a reference page for most of the relevant standards that Apache follows.

+ +
Password Encryption Formats
+ +
+

Discussion of the various ciphers supported by Apache for + authentication purposes.

+
diff --git a/docs/manual/misc/password_encryptions.html b/docs/manual/misc/password_encryptions.html new file mode 100644 index 00000000000..1f357ebf83c --- /dev/null +++ b/docs/manual/misc/password_encryptions.html @@ -0,0 +1,3 @@ +URI: password_encryptions.html.en +Content-Language: en +Content-type: text/html; charset=ISO-8859-1 diff --git a/docs/manual/misc/password_encryptions.html.en b/docs/manual/misc/password_encryptions.html.en new file mode 100644 index 00000000000..15c3d46b8cd --- /dev/null +++ b/docs/manual/misc/password_encryptions.html.en @@ -0,0 +1,214 @@ + + + +Password Formats - Apache HTTP Server + + + + +
+

Modules | Directives | FAQ | Glossary | Sitemap

+

Apache HTTP Server Version 2.2

+
+
<-
+
+Apache > HTTP Server > Documentation > Version 2.2 > Miscellaneous Documentation

Password Formats

+
+

Available Languages:  en 

+
+ +

Notes about the password encryption formats generated and understood by + Apache.

+
+ +
top
+
+

Basic Authentication

+ +

There are four formats that Apache recognizes for basic-authentication + passwords. Note that not all formats work on every platform:

+ +
+
PLAIN TEXT (i.e. unencrypted)
+
Windows, BEOS, & Netware only.
+ +
CRYPT
+
Unix only. Uses the traditional Unix crypt(3) function + with a randomly-generated 32-bit salt (only 12 bits used) and the first 8 + characters of the password.
+ +
SHA1
+
"{SHA}" + Base64-encoded SHA-1 digest of the password.
+ +
MD5
+
"$apr1$" + the result of an Apache-specific algorithm using an + iterated (1,000 times) MD5 digest of various combinations of a + randoml 32-bit salt and the password. See the APR source file + apr_md5.c + for the details of the algorithm.
+
+ +

Generating values with htpasswd

+ +

MD5

+ $ htpasswd -nbm myName myPassword
+ myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ +

+ +

SHA1

+ $ htpasswd -nbs myName myPassword
+ myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE= +

+ +

CRYPT

+ $ htpasswd -nbd myName myPassword
+ myName:rqXexS6ZhobKA +

+ + + +

Generating CRYPT and MD5 values with the OpenSSL + command-line program

+ + +

OpenSSL knows the Apache-specific MD5 algorithm.

+ +

MD5

+ $ openssl passwd -apr1 myPassword
+ $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 +

+ +

CRYPT

+ openssl passwd -crypt myPassword
+ qQ5vTYO3c8dsU +

+ + +

Validating CRYPT or MD5 passwords with the OpenSSL command + line program

+ +

The salt for a CRYPT password is the first two characters (converted to + a binary value). To validate myPassword against + rqXexS6ZhobKA

+ +

CRYPT

+ $ openssl passwd -crypt -salt rq myPassword
+ Warning: truncating password to 8 characters
+ rqXexS6ZhobKA +

+ +

Note that using myPasswo instead of + myPassword will produce the same result because only the + first 8 characters of CRYPT passwords are considered.

+ +

The salt for an MD5 password is between $apr1$ and the + following $ (as a Base64-encoded binary value - max 8 chars) + To validate myPassword against + $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

+ +

MD5

+ $ openssl passwd -apr1 -salt r31..... myPassword
+ $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ +

+ + +

Database password fields for mod_dbd

+

The SHA1 variant is probably the most useful format for DBD + authentication. Since the SHA1 and Base64 functions are commonly + available, other software can populate a database with encrypted passwords + that are usable by Apache basic authentication.

+ +

To create Apache SHA1-variant basic-authentication passwords in various + languages:

+ +

PHP

+ '{SHA}' . base64_encode(sha1($password, TRUE)) +

+ +

Java

+ "{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes())) +

+ +

ColdFusion

+ "{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex")) +

+ +

Ruby

+ require 'digest/sha1'
+ require 'base64'
+ '{SHA}' + Base64.encode64(Digest::SHA1.digest(password)) +

+ +

C or C++

+ Use the APR function: apr_sha1_base64 +

+ +

PostgreSQL (with the contrib/pgcrypto functions + installed)

+ + '{SHA}'||encode(digest(password,'sha1'),'base64') +

+ + +
top
+
+

Digest Authentication

+

Apache recognizes one format for + digest-authentication passwords - the MD5 hash of the string + user:realm:password as a 32-character string of hexadecimal + digits. realm is the Authorization Realm argument to the + AuthName directive in + httpd.conf.

+ +

Database password fields for mod_dbd

+ +

Since the MD5 function is commonly available, other software can + populate a database with encrypted passwords that are usable by Apache + digest authentication.

+ +

To create Apache digest-authentication passwords in various + languages:

+ +

PHP

+ md5($user . ':' . $realm . ':' .$password) +

+ +

Java

+ byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());
+ java.math.BigInteger bi = new java.math.BigInteger(b);
+ String s = bi.toString(16);
+ if (s.length() % 2 != 0)
+ + s = "0" + s; + + // String s is the encrypted password +

+ +

ColdFusion

+ LCase(Hash( (user & ":" & realm & ":" & password) , "MD5")) +

+ +

Ruby

+ require 'digest/md5'
+ Digest::MD5.hexdigest(user + ':' + realm + ':' + password) +

+ +

PostgreSQL (with the contrib/pgcrypto functions installed)

+ + encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex') +

+ + +
+
+

Available Languages:  en 

+
+ \ No newline at end of file diff --git a/docs/manual/misc/password_encryptions.xml b/docs/manual/misc/password_encryptions.xml new file mode 100644 index 00000000000..d5067bc6aab --- /dev/null +++ b/docs/manual/misc/password_encryptions.xml @@ -0,0 +1,211 @@ + + + + + + + + + Miscellaneous Documentation + + Password Formats + + +

Notes about the password encryption formats generated and understood by + Apache.

+ + +
Basic Authentication + +

There are four formats that Apache recognizes for basic-authentication + passwords. Note that not all formats work on every platform:

+ +
+
PLAIN TEXT (i.e. unencrypted)
+
Windows, BEOS, & Netware only.
+ +
CRYPT
+
Unix only. Uses the traditional Unix crypt(3) function + with a randomly-generated 32-bit salt (only 12 bits used) and the first 8 + characters of the password.
+ +
SHA1
+
"{SHA}" + Base64-encoded SHA-1 digest of the password.
+ +
MD5
+
"$apr1$" + the result of an Apache-specific algorithm using an + iterated (1,000 times) MD5 digest of various combinations of a + randoml 32-bit salt and the password. See the APR source file + apr_md5.c + for the details of the algorithm.
+
+ +
Generating values with htpasswd + + MD5 + $ htpasswd -nbm myName myPassword
+ myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ + + + SHA1 + $ htpasswd -nbs myName myPassword
+ myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE= + + + CRYPT + $ htpasswd -nbd myName myPassword
+ myName:rqXexS6ZhobKA + + +
+ +
+ Generating CRYPT and MD5 values with the OpenSSL + command-line program + +

OpenSSL knows the Apache-specific MD5 algorithm.

+ + MD5 + $ openssl passwd -apr1 myPassword
+ $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0 + + + CRYPT + openssl passwd -crypt myPassword
+ qQ5vTYO3c8dsU + +
+ +
+ Validating CRYPT or MD5 passwords with the OpenSSL command + line program +

The salt for a CRYPT password is the first two characters (converted to + a binary value). To validate myPassword against + rqXexS6ZhobKA

+ + CRYPT + $ openssl passwd -crypt -salt rq myPassword
+ Warning: truncating password to 8 characters
+ rqXexS6ZhobKA + + +

Note that using myPasswo instead of + myPassword will produce the same result because only the + first 8 characters of CRYPT passwords are considered.

+ +

The salt for an MD5 password is between $apr1$ and the + following $ (as a Base64-encoded binary value - max 8 chars) + To validate myPassword against + $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

+ + MD5 + $ openssl passwd -apr1 -salt r31..... myPassword
+ $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/ + +
+ +
Database password fields for mod_dbd +

The SHA1 variant is probably the most useful format for DBD + authentication. Since the SHA1 and Base64 functions are commonly + available, other software can populate a database with encrypted passwords + that are usable by Apache basic authentication.

+ +

To create Apache SHA1-variant basic-authentication passwords in various + languages:

+ + PHP + '{SHA}' . base64_encode(sha1($password, TRUE)) + + + Java + "{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes())) + + + ColdFusion + "{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex")) + + + Ruby + require 'digest/sha1'
+ require 'base64'
+ '{SHA}' + Base64.encode64(Digest::SHA1.digest(password)) + + + C or C++ + Use the APR function: apr_sha1_base64 + + + + PostgreSQL (with the contrib/pgcrypto functions + installed) + '{SHA}'||encode(digest(password,'sha1'),'base64') + +
+ +
+ +
Digest Authentication +

Apache recognizes one format for + digest-authentication passwords - the MD5 hash of the string + user:realm:password as a 32-character string of hexadecimal + digits. realm is the Authorization Realm argument to the + AuthName directive in + httpd.conf.

+ +
Database password fields for mod_dbd + +

Since the MD5 function is commonly available, other software can + populate a database with encrypted passwords that are usable by Apache + digest authentication.

+ +

To create Apache digest-authentication passwords in various + languages:

+ + PHP + md5($user . ':' . $realm . ':' .$password) + + + Java + byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());
+ java.math.BigInteger bi = new java.math.BigInteger(b);
+ String s = bi.toString(16);
+ if (s.length() % 2 != 0)
+ + s = "0" + s; + + // String s is the encrypted password + + + ColdFusion + LCase(Hash( (user & ":" & realm & ":" & password) , "MD5")) + + + Ruby + require 'digest/md5'
+ Digest::MD5.hexdigest(user + ':' + realm + ':' + password) + + + + PostgreSQL (with the contrib/pgcrypto functions installed) + encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex') + + +
+
+ + diff --git a/docs/manual/misc/password_encryptions.xml.meta b/docs/manual/misc/password_encryptions.xml.meta new file mode 100644 index 00000000000..35c4091e804 --- /dev/null +++ b/docs/manual/misc/password_encryptions.xml.meta @@ -0,0 +1,11 @@ + + + + password_encryptions + /misc/ + .. + + + en + + diff --git a/docs/manual/mod/mod_dbd.html.en b/docs/manual/mod/mod_dbd.html.en index 1745c7a0ef8..c6060b72457 100644 --- a/docs/manual/mod/mod_dbd.html.en +++ b/docs/manual/mod/mod_dbd.html.en @@ -53,6 +53,9 @@
  • Connection Pooling
  • Apache DBD API
  • SQL Prepared Statements
    • +

    See also

    +
    top
    diff --git a/docs/manual/mod/mod_dbd.xml b/docs/manual/mod/mod_dbd.xml index e8c9e4c8fde..30969242223 100644 --- a/docs/manual/mod/mod_dbd.xml +++ b/docs/manual/mod/mod_dbd.xml @@ -38,6 +38,8 @@ for both threaded and non-threaded MPMs.

    +Password Formats +
    Connection Pooling

    This module manages database connections, in a manner optimised for the platform. On non-threaded platforms,