php, crypt, and htaccess/htpasswd

tisource

I'm trying to write a php script that allows me to add users to our admin page (htaccess), and I'm having trouble with the crypt function.

If I go to the command line, and add a user with 'htpasswd userfile user' I can get in (when trying to access the protected directory via a web browser). If I add it with my php script, and do 'crypt ($password)' it doesn't work (I can't get in via the web).

If I take the first two characters of the encrypted password from the users file (as added by the 'htpasswd' program) and put it in $salt, and do the following:

crypt ($password, $salt);

I get the same exact value (password) as the one in the htaccess user file (perfect match).

I don't know how to get the correct $salt value to make the crypt work properly. Is there a correlation to the username and the $salt value that htpasswd uses, or is there some other pattern to it? Or do I need to configure apache?

I'm using Mandrake 8.2 w/ whatever apache came with it (1.3.x)

Does anyone have any ideas? I'd be very grateful if anyone might be able to help.

Thanks

elfynmcb

Hey,

Usually on UNIX and it's variants the salt is the first two characters of the password, below the password is 'myPASSWD':

<?php

$pass = "myPASSWD";
$enc_pass = crypt($pass,substr($pass,0,2));
echo "encrypted password '$pass' is '$enc_pass'\n";

?>

For the second arg of crypt() I use substr() to get the first two characters of the password.

elfynmcb

Hey,

Sorry, I got confused with cygwin for a while. Take a look at this man page to get a jist of how the system call crypt() works...


CRYPT(3)                Library functions                CRYPT(3)

NAME
       crypt - password and data encryption

SYNOPSIS
       #define _XOPEN_SOURCE
       #include <unistd.h>

   char *crypt(const char *key, const char *salt);

CRYPT(3)                Library functions                CRYPT(3)

NAME
       crypt - password and data encryption

SYNOPSIS
       #define _XOPEN_SOURCE
       #include <unistd.h>

   char *crypt(const char *key, const char *salt);

DESCRIPTION
       crypt is the password encryption function.  It is based on
       the Data Encryption  Standard  algorithm  with  variations
       intended  (among  other things) to discourage use of hard_
       ware implementations of a key search.

   key is a user's typed password.

   salt  is  a  two-character  string  chosen  from  the  set
   [a-zA-Z0-9./].   This  string is used to perturb the algo_
   rithm in one of 4096 different ways.

   By taking the lowest 7 bit of each character of the key, a
   56-bit  key  is  obtained.   This  56-bit  key  is used to
   encrypt repeatedly a constant  string  (usually  a  string
   consisting  of  all  zeros).  The returned value points to
   the encrypted password, a series  of  13  printable  ASCII
   characters  (the  first  two characters represent the salt
   itself).  The return value points  to  static  data  whose
   content is overwritten by each call.

   Warning: The key space consists of 2**56 equal 7.2e16 pos_
   sible values.  Exhaustive searches of this key  space  are
   possible  using  massively  parallel computers.  Software,
   such as crack(1), is available which will search the  por_
   tion  of  this  key space that is generally used by humans
   for passwords.  Hence, password selection should, at mini_
   mum, avoid common words and names.  The use of a passwd(1)
   program that checks for  crackable  passwords  during  the
   selection process is recommended.

   The  DES  algorithm itself has a few quirks which make the
   use of the crypt(3) interface a very poor choice for  any_
   thing  other  than  password  authentication.   If you are
   planning on using the crypt(3) interface for a  cryptogra_
   phy  project,  don't  do it: get a good book on encryption
   and one of the widely available DES libraries.

CONFORMING TO
       SVID, X/OPEN, BSD 4.3

SEE ALSO
       login(1), passwd(1), encrypt(3), getpass(3), passwd(5)

                    September 3, 1994                       1

tisource

First of all, thanks for your reply. Your reponse was more than quick.

Second, the man page doesn't make much sense to me. I'm not a php or linux guru yet (working on it), and I have very little experience with any kind of encryption. I wish I knew more about this stuff, but I guess you learn by doing it. I appreciate the gesture, though.

Unfortunately, the passwords still don't match. Let me give you an example.

I added a user 'joe' with the password 'england'.

This is what htpasswd created from the command line:
joe:TEDLDuqEQCveU

I set up my script to do the following:
crypt ($pass, substr($pass,0,2))
and got this:
joe:en2stKYjRhrOo

With htaccess, the password takes the password and encrypts it, and compares the post-encrypted string to the one stored in the users file, correct? Which means for my user-add script to work, the post-crypted string must also match the one in the user htaccess file.

Any other suggestions? I thought perhaps the htpasswd program is using a different "salt" for the encryption, which must be based off either the username or password. So far I can't find a correlation.

Thanks for your reply. Other ideas?

tisource

Just another addition to my last post:

The 'salt' as it is called must be based off the username (at least as far as apache is concerned).

I have tried different users with different passwords and get different encrypted passwords/results for each.

I'm not sure where to go from here.

Ideas or suggestions from anyone would be welcome!!

Build: Apache 1.3.23 on Mandrake 8.2.
PHP: version 4.1.2

Thanks...........

elfynmcb

Hey,

I found this link on www.google.com, where it shows you a class (designed for php3; but it's how you use the salt and crypt() that matters):

http://www.thewebmasters.net/php/class.Htpasswd.phps

lrdjester

I am helping a friend set up an automated members join area.

I have the following php script:

    while ($row = mysql_fetch_array($result))
    {
	$username = strtolower($row['username']);
	$password = crypt($row['password']);
	$firstname = $row['firstname'];
	$lastname = $row['lastname'];

	$line1 = "/usr/bin/sudo /home/manager/public_html/newuser $username $password '$firstname $lastname'";

	exec($line1);
	echo "Added $username with password = $password<br>";
    usleep(500);
}

I am not salting crypt, so is that the reason I am not getting passwords generated? Or at least not the proper ones.

If I add salt to the crypt parameters, would this work?

Here is a copy of the newuser script file:

#!/bin/bash

domain="server name"
clientip="IP address"
apacheconf="/opt/casp/apache-bundle/conf/httpd.conf"

/usr/bin/sudo /usr/sbin/useradd -d /home/$1 -g users -p $2 -s /bin/false -c "$3" -m $1

/usr/bin/sudo mkdir /home/$1/My_Files
/usr/bin/sudo mkdir /home/$1/My_Pictures
/usr/bin/sudo mkdir /home/$1/My_Website
/usr/bin/sudo cp ./default.html /home/$1/My_Website/

/usr/bin/sudo chown -R $1.users /home/$1/
/usr/bin/sudo chmod -R 755 /home/$1/

Apache Virtual Server

Write the following (at minimum) to httpd.conf (wherever it resides)

/usr/bin/sudo echo " " 1>>$apacheconf
/usr/bin/sudo echo "# Virtual Host Directive for $3" 1>>$apacheconf
/usr/bin/sudo echo "<VirtualHost $clientip>" 1>>$apacheconf
/usr/bin/sudo echo "DocumentRoot /home/$1/My_Website" 1>>$apacheconf
/usr/bin/sudo echo "ServerName $1.$domain" 1>>$apacheconf
/usr/bin/sudo echo "</VirtualHost>" 1>>$apacheconf

I know that I shouldn't be using sudo here, but this is primarily to convert the existing users over to Linux from his WinDoze server.

I am going to try to find a better way to do this as time permits.

Thanks for any help.

Jeff Dierkingserver name