weird thing about httpd Auth module mod_authn_file

hahacc · 07-31-2013, 09:09 AM

Hi folks,
I'm using httpd mod_authn_file for authenticating against a directory of my site, but I found I can pass the authentication with wrong password!
Here's the configuration:

Code:

<Directory /var/www/html/mysite/dir1>
AuthName "Need-password"
AuthType Basic
AuthUserFile /var/www/html/mysite/dir1/htpasswd.me
Require valid-user
Options +Indexes
AuthBasicProvider file
</Directory>

The module was loaded:

Code:

LoadModule authn_file_module modules/mod_authn_file.so

And I've set htpasswd.me with right permission:

Code:

[root@doxer_#1]# ls -l /var/www/html/mysite/dir1/htpasswd.me
-rw------- 1 apache apache 21 Jul 31 07:47 /var/www/html/mysite/dir1/htpasswd.me

I generated password using the right htpasswd -c /var/www/html/mysite/dir1/htpasswd.me username.

The sympotom is that:

When I entered the wrong username, authentication will fail with right/wrong password;
When I entered the right username, and the first several characters of the right password as password, authentication will pass!(this really puzzled me! For example, the right password was 'PassWord', but I found that 'PassWore' or 'PassWordExtra' would both pass!)

Can anyone shed some light on this? Thanks!

PS:Server version: Apache/2.2.3

.

vishesh · 08-01-2013, 06:04 AM

I tried same configuration but not taking incomplete password.

Thanks

eklavya · 08-01-2013, 07:05 AM

if you are talking about htaccess username & password. Don't try using just refresh the link.
Close the browser and open again and now execute the link.
or
try in different browsers. Open new browser (cleared cookies & cache) and now put the wrong password, it will not take it.
But once you put the correct password and try in same browser without closing it, it can take incorrect one.

I am saying this because I had faced same issue.

hahacc · 08-06-2013, 05:16 AM

Thanks guys, but this weird issue still the same on my box, even I changed another host.

bathory · 08-07-2013, 02:31 AM

Quote:

The sympotom is that:

When I entered the wrong username, authentication will fail with right/wrong password;
When I entered the right username, and the first several characters of the right password as password, authentication will pass!(this really puzzled me! For example, the right password was 'PassWord', but I found that 'PassWore' or 'PassWordExtra' would both pass!)

Can anyone shed some light on this? Thanks!

PS:Server version: Apache/2.2.3

This is a problem for apache versions up to 2.2.17

Quote:

-d
Use crypt() encryption for passwords. This is not supported by the httpd server on Windows and Netware. This algorithm limits the password length to 8 characters. This algorithm is insecure by today's standards. It used to be the default algorithm until version 2.2.17.

You can use -m in htpasswd to encrypt the password using the md5 algorithm. See the link above for more details

Regards

hahacc · 08-11-2013, 10:30 PM

Quote:

Originally Posted by bathory

This is a problem for apache versions up to 2.2.17

You can use -m in htpasswd to encrypt the password using the md5 algorithm. See the link above for more details

Regards

Awesome, thanks a lot! I had another try with -m and it worked as expected!