LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 01-18-2013, 02:40 PM   #1
adambot
LQ Newbie
 
Registered: Jan 2013
Posts: 10

Rep: Reputation: Disabled
php htpasswd authentication


I am trying to get php to authenticate against my .htpasswd, however, it never finishes, but rather keeps giving me the username/password dialog

here is my code:
Code:
<?php 
if( !($passwd = @fopen( "./.htpasswd", "r" ))) 
{  echo "Cannot open password file."; 
   exit; 
} 

if( !$PHP_AUTH_USER ) 
{  Header( "WWW-authenticate: basic realm=\"Realm\"" ); 
   Header( "HTTP/1.0 401 Unauthorized" ); 
   echo "Text to see if user hits 'Cancel'"; 
   exit; 
} 

// file format => username:passwd{\n} 
while( $pwent = fgets( $passwd, 100 )) 
{  $part = split( ":", ereg_replace( "\n", "", $pwent )); 
   if( $part[0] != $PHP_AUTH_USER ) 
      continue; 

   // Username was found - verify passwd 
   if( $part[1] != 
        // The crypt salt is stored as chars 1&2 of passwd 
        crypt( $PHP_AUTH_PW, substr( $part[1], 0, 2 ))) 
      break; 

   echo "Hello $PHP_AUTH_USER.<p>\n"; 
} 

// This only has effect of no text was output previously, so 
//  it is ignored in all cases except authentication error. 
@Header( "HTTP/1.0 401 Unauthorized" ); 
?>
Thanks!
 
Old 01-18-2013, 03:55 PM   #2
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 225

Rep: Reputation: 51
You don't need to use PHP to authenticate via htpasswd. Just drop a htaccess file at the top of the directory you want to protect and have it link to the htpasswd file.
 
Old 01-18-2013, 04:32 PM   #3
adambot
LQ Newbie
 
Registered: Jan 2013
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by YankeePride13 View Post
You don't need to use PHP to authenticate via htpasswd. Just drop a htaccess file at the top of the directory you want to protect and have it link to the htpasswd file.
I know that, however, i am going to be experimenting with 2 factor authentication and would like to be able to have everything portal based rather than use apache's basic authentication.
 
Old 01-18-2013, 05:45 PM   #4
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,425

Rep: Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159Reputation: 1159
Unfortunately, "you're missing the point."

".htpasswd" is strictly for use by Apache: your (PHP or what-have-you) script will never be invoked at all unless that level of authentication is cleared. Hence, your code never has to be concerned with it.

To put it another way: there is nothing that 'your code' can possibly add to it. If you want there to be another "factor," it can't have anything to do with ".htpasswd" since that is by-definition only one factor, and that factor has already been cleared. Any attempt by you to make further use of that factor ... does not introduce another factor.
 
Old 01-18-2013, 06:13 PM   #5
adambot
LQ Newbie
 
Registered: Jan 2013
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
Unfortunately, "you're missing the point."

".htpasswd" is strictly for use by Apache: your (PHP or what-have-you) script will never be invoked at all unless that level of authentication is cleared. Hence, your code never has to be concerned with it.

To put it another way: there is nothing that 'your code' can possibly add to it. If you want there to be another "factor," it can't have anything to do with ".htpasswd" since that is by-definition only one factor, and that factor has already been cleared. Any attempt by you to make further use of that factor ... does not introduce another factor.
http://koivi.com/archives/php-http-auth/
https://www.duosecurity.com/docs/duoweb

clearly 2 factor authentication is possible, the second factor would then be invoked where the echo "hello... currently is.

thanks!
Adam
 
Old 01-19-2013, 10:53 AM   #6
adambot
LQ Newbie
 
Registered: Jan 2013
Posts: 10

Original Poster
Rep: Reputation: Disabled
Here is the final code that i was able to get to work:

Code:
<?php 
ini_set('display_errors', 'On');
error_reporting(E_ALL | E_STRICT);

if( !($passwd = @fopen( "./.htpasswd", "r" ))) 
{  echo "Cannot open password file."; 
   exit; 
} 

if (!isset($_SERVER['PHP_AUTH_USER']))
{  Header( "WWW-authenticate: basic realm=\"Realm\"" ); 
   Header( "HTTP/1.0 401 Unauthorized" ); 
   echo "Text to see if user hits 'Cancel'"; 
   exit; 
} 

while( $pwent = fgets( $passwd, 100 )) {
   $part = explode( ":", chop($pwent));
   $pass = explode( "\$", $part[1]);

   $plainpasswd=$_SERVER['PHP_AUTH_PW'];
   $salt=$pass[2];
   $len = strlen($plainpasswd);
   $text = $plainpasswd.'$apr1$'.$salt;
   $bin = pack("H32", md5($plainpasswd.$salt.$plainpasswd));
   for($i = $len; $i > 0; $i -= 16) { $text .= substr($bin, 0, min(16, $i)); }
   for($i = $len; $i > 0; $i >>= 1) { $text .= ($i & 1) ? chr(0) : $plainpasswd{0}; }
   $bin = pack("H32", md5($text));
   for($i = 0; $i < 1000; $i++) {
       $new = ($i & 1) ? $plainpasswd : $bin;
       if ($i % 3) $new .= $salt;
       if ($i % 7) $new .= $plainpasswd;
       $new .= ($i & 1) ? $bin : $plainpasswd;
       $bin = pack("H32", md5($new));
   }
   $tmp="";
   for ($i = 0; $i < 5; $i++) {
       $k = $i + 6;
       $j = $i + 12;
       if ($j == 16) $j = 5;
       $tmp = $bin[$i].$bin[$k].$bin[$j].$tmp;
   }
   $tmp = chr(0).chr(0).$bin[11].$tmp;
   $tmp = strtr(strrev(substr(base64_encode($tmp), 2)),
   "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",
   "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
   $hashedpasswd = "$"."apr1"."$".$salt."$".$tmp;

   if (($_SERVER['PHP_AUTH_USER'] == $part[0]) && ($hashedpasswd == $part[1]))
   {
      echo "Now you are Logged In";
      exit;
   }

}

// This only has effect of no text was output previously, so 
//  it is ignored in all cases except authentication error. 
Header( "HTTP/1.0 401 Unauthorized" ); 
echo "No Match";
?>
Quote:
Originally Posted by sundialsvcs View Post
".htpasswd" is strictly for use by Apache: your (PHP or what-have-you) script will never be invoked at all unless that level of authentication is cleared. Hence, your code never has to be concerned with it.
as you can see it is possible to use the .htpasswd file instead of needing a database for password authentication through php because there is no .htaccess, just a .htpasswd so the file is still protected via the apache config
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache ldap authentication with htpasswd laggerific Linux - Software 3 01-07-2010 09:37 AM
[SOLVED] PHP code nothing happens when htpasswd issued qwertyjjj Linux - Software 11 08-16-2009 12:01 PM
squid proxy authentication htpasswd command problem sonykarthik71 Linux - Server 2 12-02-2008 06:25 AM
PHP generate htpasswd newuser455 Programming 2 06-12-2006 12:12 PM
Apache .htpasswd use windows authentication? meeshka Linux - Networking 1 07-14-2003 11:14 PM


All times are GMT -5. The time now is 11:02 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration