LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 09-09-2016, 05:12 AM   #1
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749

Rep: Reputation: 73
Question PHP: how to validate a password from htpasswd


Hello, I'm creating a script/page using PHP which will give the possibility to a user to change his password from htpasswd file, but I'm not sure how to ensure that the current password matches the password from htpasswd.

Does anybody know how to validate 'current password' against the password saved in htpasswd?
 
Old 09-09-2016, 05:21 AM   #2
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,325

Rep: Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757
It depends on http password format

See code example in
http://httpd.apache.org/docs/2.2/mis...cryptions.html
 
Old 09-09-2016, 07:28 AM   #3
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749

Original Poster
Rep: Reputation: 73
Quote:
Originally Posted by keefaz View Post
It depends on http password format

See code example in
http://httpd.apache.org/docs/2.2/mis...cryptions.html
I use 'MD5' for passwords.
 
Old 09-09-2016, 08:28 AM   #4
keefaz
LQ Guru
 
Registered: Mar 2004
Distribution: Slackware
Posts: 6,325

Rep: Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757Reputation: 757
To verify password, php should be able to open and read the file where http passwords are stored

Then you get the line that starts with "Username:<crypted password>" and compare the crypted password with the password you want to check crypted with same algorythm

Function to crypt password:
https://www.virendrachandak.com/tech...htpasswd-file/
 
Old 09-09-2016, 10:06 AM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
Passwords are ordinarily stored in databases, not in files.

The most common strategy is to store a "salted hash." The password, plus a random number (the "salt"), is hashed using SHA1 (not MD5 ...), and both the resulting hash and the random number are stored. (The random number is not concealed.)
 
Old 09-10-2016, 04:24 AM   #6
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 749

Original Poster
Rep: Reputation: 73
Quote:
Originally Posted by sundialsvcs View Post
Passwords are ordinarily stored in databases, not in files.

The most common strategy is to store a "salted hash." The password, plus a random number (the "salt"), is hashed using SHA1 (not MD5 ...), and both the resulting hash and the random number are stored. (The random number is not concealed.)
Yes, the idea is good for new passwords, but what about old passwords which used a 'salt' which hasn't been saved? How do I ensure that the current password is correct or how do I validate a old password to ensure is the right user?
 
Old 09-10-2016, 06:42 AM   #7
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,590

Rep: Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908Reputation: 1908
Quote:
Originally Posted by robertjinx View Post
Yes, the idea is good for new passwords, but what about old passwords which used a 'salt' which hasn't been saved?
If you don't have the salt then you might as well throw the hash away. However you talked about htpasswd in the first post, according to Apache's htpasswd format documentation, the salt should be in that file.

Quote:
Originally Posted by sundialsvcs View Post
Passwords are ordinarily stored in databases, not in files.

The most common strategy is to store a "salted hash." The password, plus a random number (the "salt"), is hashed using SHA1 (not MD5 ...), and both the resulting hash and the random number are stored. (The random number is not concealed.)
SHA1 is not sufficient for password storing. Something like https://en.wikipedia.org/wiki/Scrypt should be used, see also Cryptographic Hash Functions Are Not Password Hash Functions, and the htpasswd documentation linked above:
Quote:
SHA1
"{SHA}" + Base64-encoded SHA-1 digest of the password. Insecure.
 
Old 09-12-2016, 12:30 PM   #8
ccj4467
LQ Newbie
 
Registered: Jan 2009
Posts: 26

Rep: Reputation: 4
Here is quick little PHP program that reads an APACHE htpasswd file and checks if the input password is valid

Code:
<?php
// APR1-MD5 encryption method (windows compatible)
function crypt_apr1_md5($plainpasswd, $salt)
{
    $tmp = "";
    $len = strlen($plainpasswd);
    $text = $plainpasswd.'$apr1$'.$salt;
    $bin = pack("H32", md5($plainpasswd.$salt.$plainpasswd));
    for($i = $len; $i > 0; $i -= 16) { $text .= substr($bin, 0, min(16, $i)); }
    for($i = $len; $i > 0; $i >>= 1) { $text .= ($i & 1) ? chr(0) : $plainpasswd{0}; }
    $bin = pack("H32", md5($text));
    for($i = 0; $i < 1000; $i++)
    {
        $new = ($i & 1) ? $plainpasswd : $bin;
        if ($i % 3) $new .= $salt;
        if ($i % 7) $new .= $plainpasswd;
        $new .= ($i & 1) ? $bin : $plainpasswd;
        $bin = pack("H32", md5($new));
    }
    for ($i = 0; $i < 5; $i++)
    {
        $k = $i + 6;
        $j = $i + 12;
        if ($j == 16) $j = 5;
        $tmp = $bin[$i].$bin[$k].$bin[$j].$tmp;
    }
    $tmp = chr(0).chr(0).$bin[11].$tmp;
    $tmp = strtr(strrev(substr(base64_encode($tmp), 2)),
    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",
    "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
 
    return "$"."apr1"."$".$salt."$".$tmp;
}

function get_htpasswd ( $passwdFile, $username )
{
    $lines = file($passwdFile);
    foreach ($lines as $line)
    {
        $arr = explode(":", $line);
        $fileUsername = $arr[0];
        if ($fileUsername == $username)
        {
            $filePasswd = trim($arr[1]);
            return $filePasswd;
        }
    }
    return false;
}

function matches($password, $filePasswd)
{
    if (strpos($filePasswd, '$apr1') === 0)
    {
        // MD5
        $passParts = explode('$', $filePasswd);
        $salt = $passParts[2];
        $hashed = crypt_apr1_md5($password, $salt);
        return $hashed == $filePasswd;
    }
    elseif (strpos($filePasswd, '{SHA}') === 0)
    {
        // SHA1
        $hashed = "{SHA}" . base64_encode(sha1($password, TRUE));
        return $hashed == $filePasswd;
    }
    elseif (strpos($filePasswd, '$2y$') === 0)
    {
       // Bcrypt
       return password_verify ($password, $filePasswd);
    }
    else
    {
        // Crypt
        $salt = substr($filePasswd, 0, 2);
        $hashed = crypt($password, $salt);
        return $hashed == $filePasswd;
    }
    return false;
}

$username = $argv[1];
$password = $argv[2];

$filePasswd = get_htpasswd( 'passwordfile', $username );

if ( matches($password, $filePasswd) )
{
    echo "Correct password\n";
}
else
{
    echo "Incorrect username or password\n";
}
?>
It reads the username and password from the command line and looks in passwordfile for the user. Change the first arg in the call to get_htpasswd to your actual password file. This supports all of htpasswd's hash methods.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] htpasswd allows incomplete password (weird) dhrumantgoradia Linux - Security 3 03-09-2011 09:58 PM
How to sync md5 password between php and htpasswd chobong Linux - Server 1 07-15-2010 03:51 PM
Shell Password -vs- HTPASSWD Password? carlosinfl Linux - Security 1 10-14-2009 10:26 AM
htpasswd password file fw12 Linux - Newbie 5 07-16-2006 02:26 PM
qmail-smtpd-auth+requireauth validate any password arnaldostones Linux - Software 0 09-27-2004 11:08 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 07:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration