authn_dbd: what format for encrypted password?

Dear Experts,

I'm setting up mod_authn_dbd for the first time (having previously used
the 3rd-party mod_auth_pgsql with apache2.0) and I'm unsure how the
passwords should be encoded in the database. The docs at
http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html just say:

"The query must take a single string (typically SQL varchar) argument (username),
and return a single value (encrypted password)."

Do I have a choice of encryption formats? How do I tell it which
format I have used? (Is there some more documentation somewhere that I
have missed?)

Many thanks for any advice you can offer.

Regards,

Phil.






------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: authn_dbd: what format for encrypted password?

Phil Endecott wrote:
> Dear Experts,
>
> I'm setting up mod_authn_dbd for the first time (having previously used
> the 3rd-party mod_auth_pgsql with apache2.0) and I'm unsure how the
> passwords should be encoded in the database. The docs at
> http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html just say:
>
> "The query must take a single string (typically SQL varchar) argument
> (username),
> and return a single value (encrypted password)."
>
> Do I have a choice of encryption formats? How do I tell it which format
> I have used? (Is there some more documentation somewhere that I have
> missed?)

There are four formats that Apache recognizes for passwords.
Note that not all four work on every platform:

1. PLAIN TEXT (i.e. unencrypted) passwords:
Windows, BEOS, & Netware only.

2. CRYPT passwords:
Unix only.
Calls the Unix crypt(3) function with a
randomly-generated 32-bit salt and the password

3. SHA1 passwords:
"{SHA}" + Base64-encoded SHA-1 digest of the password

4. MD5 passwords:
"$apr1$" + the result of an Apache-specific algorithm
using an iterated (1,000 times) MD5 digest of various
combinations of a randomly-generated 32-bit salt
and the password. See source file apr-util/crypto/apr_md5.c
for the details of the algorithm.

The htpasswd program can be used to generate values:

MD5
htpasswd -nbm myName myPassword
myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

SHA1
htpasswd -nbs myName myPassword
myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=

CRYPT
htpasswd -nbd myName myPassword
myName:rqXexS6ZhobKA

openssl can also be used to generate CRYPT and MD5 values
(openssl knows the Apache-specific algorithm). For example:

MD5
openssl passwd -apr1 myPassword
$apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0

CRYPT
openssl passwd -crypt myPassword
qQ5vTYO3c8dsU

The SHA1 variant is probably the most useful for DBD authentication.
Since the SHA1-hash and Base64-encoding functions are commonly
available, other software can populate a database with encrypted
passwords which are usable by Apache.

-tom-

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: authn_dbd: what format for encrypted password?

On 8/18/07, Tom Donovan wrote:

> There are four formats that Apache recognizes for passwords.
> Note that not all four work on every platform:

Nice summary!

How about making a page on wiki.apache.org/httpd/ for that?

Joshua.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE : [users@httpd] authn_dbd: what format for encrypted password?

--- Phil Endecott
> Many thanks for any advice you can offer.

Hi Phil,

My only advice is to not use it as it doesn't work :-(
Stock 2.2.4's dbd is buggy and even with an updated
mod_dbd.c it randomly fails (see bug 42732 /
http://issues.apache.org/bugzilla/show_bug.cgi?id=42732).

As a workaround, I authenticate using PHP.

Best regards,

Laurent

The misspelling master is on the Web.
_________ 100 % Dictionnary Free !
/ /(
/ Dico / / Pleins d'autres fautes sur
/________/ /
(#######( / http://destroyedlolo.homeunix.org
Quoi, des fautes d'orthographe! Pas possible ;-D.


____________________________________________________________ _________________
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: authn_dbd: what format for encrypted password?

On 18/08/07, Joshua Slive wrote:
> On 8/18/07, Tom Donovan wrote:
>
> > There are four formats that Apache recognizes for passwords.
> > Note that not all four work on every platform:
>
> Nice summary!
>
> How about making a page on wiki.apache.org/httpd/ for that?
>
> Joshua.

Agreed with Joshua, I had no idea there was an apache specific md5
algorithm. Some docs, please!

--
noodl

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: RE : [users@httpd] authn_dbd: what format forencrypted password?

Laurent FAILLIE wrote:
> --- Phil Endecott
>> Many thanks for any advice you can offer.
>
> Hi Phil,
>
> My only advice is to not use it as it doesn't work :-(
> Stock 2.2.4's dbd is buggy and even with an updated
> mod_dbd.c it randomly fails (see bug 42732 /
> http://issues.apache.org/bugzilla/show_bug.cgi?id=42732).
>

I disagree. I use mod_dbd with Apache 2.2.4 on both Windows & Linux
with success. I don't use it with PostgreSQL in production (although I
have tested with PostgreSQL and found no problems).

I have not experienced random failures (...so far...)

I always apply the patch from comment #22 in bug 39985
http://issues.apache.org/bugzilla/show_bug.cgi?id=39985#c22

For sites where idle connections may time out, I also apply the patch
that I proposed in APR bug 42841
http://issues.apache.org/bugzilla/show_bug.cgi?id=42841
Be careful with this one. It hasn't been accepted by the APR folks, and
there's really no indication that it ever will be.

re: documenting the Apache password stuff in the WIKI.
Sure, I will get this done in a day or two.

-tom-





------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: authn_dbd: what format for encrypted password?

Tom Donovan wrote:
> Phil Endecott wrote:
>> Dear Experts,
>>
>> I'm setting up mod_authn_dbd for the first time (having previously used
>> the 3rd-party mod_auth_pgsql with apache2.0) and I'm unsure how the
>> passwords should be encoded in the database. The docs at
>> http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html just say:
>>
>> "The query must take a single string (typically SQL varchar) argument (username),
>> and return a single value (encrypted password)."
>>
>> Do I have a choice of encryption formats? How do I tell it which format
>> I have used? (Is there some more documentation somewhere that I have
>> missed?)
>
> There are four formats that Apache recognizes for passwords.
> Note that not all four work on every platform:
>
> 1. PLAIN TEXT (i.e. unencrypted) passwords:
> Windows, BEOS, & Netware only.
>
> 2. CRYPT passwords:
> Unix only.
> Calls the Unix crypt(3) function with a
> randomly-generated 32-bit salt and the password
>
> 3. SHA1 passwords:
> "{SHA}" + Base64-encoded SHA-1 digest of the password
>
> 4. MD5 passwords:
> "$apr1$" + the result of an Apache-specific algorithm
> using an iterated (1,000 times) MD5 digest of various
> combinations of a randomly-generated 32-bit salt
> and the password. See source file apr-util/crypto/apr_md5.c
> for the details of the algorithm.

Thanks Tom. I now have it working, something like this:

# You need the pgcrypto contrib package to get SHA1:
apt-get install postgresql-contrib
su postgres psql -f /usr/share/postgresql/8.2/contrib/pgcrypto.sql

# Configure DBD in the virtualhost:
DBDriver pgsql
DBDParams "dbname=secret user=secret"


The Apache docs could list the available tokens for the parameter
string, or at least link to
http://www.postgresql.org/docs/8.2/static/libpq-connect.html . I had
mis-remembered it and wrote "db=secret", which caused the following
utterly useless error message:

[Sat Aug 18 19:17:17 2007] [error] [client 8.6.8.19] Error looking up
foo in database

Does libpq really not return any more useful error information that
could be included here? What does PQerrorMessage return?


# Set up the query to return the SHA1 of the password:
AuthDBDUserPWQuery "select
'{SHA}'||encode(digest(decode(password_b64,'base64'),','sha1 '),'base64')
from users where username=$1"


I could query why I'm not allowed to use plain text or base64
passwords. Like very many low-security sites I store passwords in a
form that allows me to implement a "forgotten your password? click
here and we'll email it to you" feature. But I suspect that it's the
sort of question that would trigger some strong opinions, and I don't
want to annoy anyone because I think I'll have some more questions for
you all soon...


# The rest of the configuration:
AuthName "secret"
AuthType basic
AuthBasicProvider dbd
require valid-user

...and now it seems to work.


Joshua wrote:
> How about making a page on wiki.apache.org/httpd/ for that?

The information that Tom supplied really ought to be in the main docs.
Is there a migration route from the wiki to the main documentation?

Laurent wrote:
> My only advice is to not use it as it doesn't work :-(

Well it seems to be working for me, so far. In your bug report you wrote:
> According to PostgreSQL log, it seems the connection hasn't a "working" status (expired ?)

Have you set up postgres to time out connections? If you have, try
disabling that.


Regards,

Phil.








------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: authn_dbd: what format for encrypted password?

Joshua Slive wrote:
> How about making a page on wiki.apache.org/httpd/ for that?

Done! http://wiki.apache.org/httpd/Encrypted_Passwords

-tom-

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: authn_dbd: what format for encrypted password?

On 19/08/07, Tom Donovan wrote:
> Joshua Slive wrote:
> > How about making a page on wiki.apache.org/httpd/ for that?
>
> Done! http://wiki.apache.org/httpd/Encrypted_Passwords

Moved! http://wiki.apache.org/httpd/EncryptedPasswords

Sorry for the pedantry but we only recently went through the whole
site renaming everything with this format. Otherwise it's good stuff
and can probably be translated for the main docs as-is.

--
noodl

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: authn_dbd: what format for encrypted password?

Tom Donovan wrote:
> Joshua Slive wrote:
>> How about making a page on wiki.apache.org/httpd/ for that?
>
> Done! http://wiki.apache.org/httpd/Encrypted_Passwords

Thanks Tom, that's excellent. You might like to make it explicit that
the format is detected by inspection of the first part of the string; I
mention this because it's not how the old mod_auth_pgsql worked (it had
an Auth_PG_hash_type directive).


Regards,

Phil.








------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: authn_dbd: what format for encrypted password? [dbd now broken]

Dear All,

I'm trying to set up auth with postgresql...

Laurent FAILLIE wrote:
> My only advice is to not use it as it doesn't work :-(

Yesterday I thought it was working, but since then it has fallen apart
and I'm wondering if Laurent might be right after all...

Yesterday I was running 2.2.3 (Debian package). It was working. This
evening I upgraded to 2.2.4 (still Debian). (Why? "If it ain't broken,
don't fix it." I should remember that, but it's too late now.)
Although the rest of the system still works, pgsql auth has failed.

My configuration currently looks like this (slightly edited):


ServerName xxxxx

DBDriver pgsql
DBDParams "dbname=xxxx user=xxxx"
DBDExptime 100
DBDKeep 1
DBDMax 5
DBDMin 1
DBDpersist on
# Note docs say 0|1 for persist, but it actually wants on|off

DocumentRoot /var/www/xxxx

Options FollowSymLinks MultiViews +ExecCGI +Includes
AllowOverride All
AddHandler cgi-script cgi
DirectoryIndex index
Order allow,deny
allow from all
AddOutputFilterByType DEFLATE text/html text/plain
text/css text/javascript
AuthName "xxxx"
AuthType basic
AuthPAM_Enabled off
AuthBasicProvider dbd
AuthDBDUserPWQuery "select
'{SHA}'||encode(digest(decode(password_b64,'base64'),'sha1') ,'base64')
from users where username=$1 and enabled"
require valid-user


SSLEngine on
SSLCertificateFile xxxx

ErrorLog /var/log/apache2/xxxxx/error.log
LogLevel warn

CustomLog /var/log/apache2/xxxx/access.log combined
ServerSignature On




Yesterday I had "DBDpersist off", and no exptime, keep, min or max
parameters. I tried that at first with 2.2.4, with the following symptoms:

In the error log:
[Mon Aug 20 23:52:14 2007] [error] [client 86.6.8.194] No DBD Authn configured!

In the postgresql log, I see a connection, authorisation and immediate
disconnection, without any query being executed:

2007-08-20 23:52:30 BST LOG: connection received: host=[local]
2007-08-20 23:52:30 BST LOG: connection authorized: user=xxxx database=xxxx
2007-08-20 23:52:30 BST LOG: disconnection: session time: 0:00:00.040
user=xxxx database=xxxx host=[local]

I then tried the "persist on" settings shown above. This fails in a
different way. Nothing else in this configuration has changed since it
was working yesterday with 2.2.3, and the postgresql configuration has
not changed.

With "persist on", the symptom is that I see this in the error log:
[Mon Aug 20 23:12:29 2007] [error] [client 86.6.8.194] Error looking up
phil in database

In the postgresql log, I see *nothing at all*. This log records
something even if I just telnet to the right port number, which makes
me think that Apache isn't attempting to connect at all. I have tried
to debug with strace, and although it's hard to see what is going on I
can't see any attempts to open a database connection. lsof -i and lsof
-U don't appear to show any connection either.


So: Can anyone see anything obviously wrong with the configuration
shown above? I'm aware that there may be some known issues with this
stuff, but are there any known *regressions* from 2.2.3 to 2.2.4? Was
I just lucky before? How can I debug further? Is there a way to get
verbose debug out of mod_dbd? (I have tried "loglevel debug" but that
doesn't add anything.)


Many thanks for any advice.

Phil.








------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org