Programmatically Building Htpasswd

Programmatically building htpasswd

.httpasswd files are just text files with a specific format depending on the hash function specified. If you are using MD5 they look like this:

foo:$apr1$y1cXxW5l$3vapv2yyCXaYz8zGoXj241

That's the login, a colon, ,$apr1$, the salt and 1000 times md5 encoded as base64. If you select SHA1 they look like this:

foo:{SHA}BW6v589SIg3i3zaEW47RcMZ+I+M=

That's the login, a colon, the string {SHA} and the SHA1 hash encoded with base64.

If your language has an implementation of either MD5 or SHA1 and base64 you can just create the file like this:

<?php

$login = 'foo';
$pass = 'pass';
$hash = base64_encode(sha1($pass, true));

$contents = $login . ':{SHA}' . $hash;

file_put_contents('.htpasswd', $contents);

?>

Here's more information on the format:

http://httpd.apache.org/docs/2.2/misc/password_encryptions.html

How to programmatically build an APR1-MD5 using PHP

It turns out I made a mistake and this function does in fact create working APR1 htpasswd entries. They do look different to the ones Apache creates but they do work.

HTTP-Authentication with .htpasswd file

I doubt that there is direct way to ask apache for authenticating user, but there are few workarounds for it:

  1. implement missing algos for yourself: APR1-MD5, SHA
  2. Use with shell_exec("htpasswd -nb $user $password") to generate hash and check in .htpasswd file
  3. Setup virtual server on internal interface that uses .htpasswd file to authenticate and perform curl call (with user credentials) to it, checking response header (200 for authorized, 4xx for not authorized)

How do I parse and use htpasswd files in C#

I recently added support for Apache MD5 to CryptSharp. It can compute and verify these passwords for you. Since it's a variant you'll need to give an extra parameter to the Crypter.MD5.Crypt() method:

string cryptedPassword = Crypter.MD5.Crypt("HelloWorld", new CrypterOptions
  {
    { CrypterOption.Variant, MD5CrypterVariant.Apache }
  }));

To verify:

bool matches = Crypter.CheckPassword("HelloWorld", cryptedPassword);

You can also verify using the Crypt() method itself, but CheckPassword() automatically determines if it's Apache MD5, DES, etc.

Hope this helps

James

how to generate a hash like apache's htpasswd using java

Passwords in Apache .htpasswd files are encoded using a salt. If you want to generate these passwords using Java you'll need to do the same. This site has an explanation of the salt/hashing algorithm used for Apache's .htpasswd files; I am looking for an actual algorithm you could use and will edit my answer after I find one.

EDIT: Looks like it's been asked before, right here on SO:

Programmaticly building htpasswd

Here's the documentation from Apache, along with their source code:

http://httpd.apache.org/docs/2.2/misc/password_encryptions.html

http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co

Can I programmatically log a user out of .htaccess authorization?

<?
// this PHP will cause a logout event, and give the login prompt again

$AuthName='WHAT-EVER'; // must match AuthName in .htaccess.
header('HTTP/1.0 401 Unauthorized');
header('Content-type: text/html');
header('WWW-Authenticate: Basic realm="'.$AuthName.'"');

// now redirect them when they click cancel
// should be to a page with no password required.
// use an HTML meta redirect instead of HTTP 
// so it runs after the auth is cancelled.
?>
<html><head><meta http-equiv='refresh' content='0;../'></head></html>

Add a comment on .htpasswd

Apache's config file format (of which .htaccess files are one example) doesn't technically support inline comments, only full-line comments (i.e. a line beginning with a #).

Lines that begin with the hash character "#" are considered comments, and are ignored. Comments may not be included on a line after a configuration directive. -- Official Apache 2.4 manual

How to automate generation of htpasswd from command line without typing password?

Why not just use:

htpasswd -b -c ~/temp/password admin test101

Generating htpasswd entry using R

Coming back to this....

The bcrypt package provides an R interface to the blowfish password hashing algorithm, and can be used to generate a suitable file. There don't seem to be packages for the other algorithms, but this one works.

library(bcrypt)

user_list <- list(
    c("user1", "password1")
)
user_str <- sapply(user_list, function(x) paste(x[1], hashpw(x[2]), sep=":"))
writeLines(user_str, "auth")

Login page vs. htpasswd - Which is more secure?

I'd say always the login form (by which I assume you mean standard session-based authentication).

  • .htaccess authentication transmits the password on every request (Of course, SSL would help here)

  • .htaccess authentication doesn't have any rate limiting / brute-force protection by default in Apache

  • Logging out from .htaccess authentication is a bitch


Related Topics

PHP Connection Pooling MySQL

PHP Jquery Ajax Call Throws Net::Err_Empty_Response

How to Get PHP, Symlinks and _File_ to Work Together Nicely

How to Iterate Through Dom Elements in PHP

.Htaccess Redirect Non-Www to Www Preserving Uri String

How to Get User Image with Twitter API 1.1

How to Get All Checkbox Variables Even If Not Checked from HTML to PHP

How to Loop Through JSON Array

How to Send Email from Local Wamp Server Using PHP

PHP Multiple Curl Requests

Converting HTML Table to a CSV Automatically Using PHP

Class 'App\Http\Controllers\Db' Not Found and I Also Cannot Use a New Model

Doctrine2 Association Mapping with Conditions

Fetching One Row Only with MySQLi

Laravel Many to Many Self Referencing Table Only Works One Way

How to Specify Multiple Return Types on PHP 7

Bulk Rename Files in a Folder - PHP

PHP Sessions in Database


Leave a reply



Submit