LinuxQuestions.org
Support LQ: Use code LQCO20 and save 20% on CrossOver Office
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] htpasswd allows incomplete password (weird)
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 03-09-2011, 09:35 PM   #1
dhrumantgoradia
LQ Newbie
 
Registered: Nov 2004
Distribution: CentOS & Ubuntu
Posts: 24

Rep: Reputation: 15
htpasswd allows incomplete password (weird)

Hi there, I've setup .htpasswd and a .htaccess file.

The password is a0bc0def0g3

If i enter that password, it let's me in.

if i enter a0bc0def0g it also works. I've never seen this before and is totally weird. Any suggestions?
 
Old 03-09-2011, 09:46 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,500

Rep: Reputation: 285Reputation: 285Reputation: 285
From here:

Quote:
Web password files such as those managed by htpasswd should not be within the Web server's URI space -- that is, they should not be fetchable with a browser.

This program is not safe as a setuid executable. Do not make it setuid.

The use of the -b option is discouraged, since when it is used the unencrypted password appears on the command line.

When using the crypt() algorithm, note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded.

The SHA encryption format does not use salting: for a given password, there is only one encrypted representation. The crypt() and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult.
 
Old 03-09-2011, 09:56 PM   #3
dhrumantgoradia
LQ Newbie
 
Registered: Nov 2004
Distribution: CentOS & Ubuntu
Posts: 24

Original Poster
Rep: Reputation: 15
Thank you very much, I spent the whole day trying to figure it out, can't believe the answer was right in front of me. I read that page a few time and missed it.

(Kicking myself now, and embarrassed)
 
Old 03-09-2011, 09:58 PM   #4
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,500

Rep: Reputation: 285Reputation: 285Reputation: 285
Don't worry about it, it happens to all of us. I call it 'target blindness' - whatever we're looking for is the one thing our eyes keep skipping over.
 
  


Reply

Tags
apache2, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to sync md5 password between php and htpasswd chobong Linux - Server 1 07-15-2010 03:51 PM
Shell Password -vs- HTPASSWD Password? carlosinfl Linux - Security 1 10-14-2009 10:26 AM
Internal Server Error with Password protection of directory using .htaccess/.htpasswd mlapl1 Linux - Newbie 1 10-14-2009 12:12 AM
htpasswd password file fw12 Linux - Newbie 5 07-16-2006 02:26 PM
htpasswd steve_c Linux - General 10 04-16-2002 10:15 AM


All times are GMT -5. The time now is 09:53 AM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration