Modify

Opened 8 years ago

Closed 8 years ago

Last modified 6 years ago

#883 closed defect (fixed)

Write htpasswd "crypt" passwords when possible

Reported by: e@… Owned by: mgood
Priority: normal Component: AccountManagerPlugin
Severity: major Keywords:
Cc: e@… Trac Release: 0.10

Description

I moved my existing Trac 0.10 installation to another server and reinstalled all the plugins. The old server crashed so I'm not sure which version of AccountManagerPlugin I had installed. Now I'm using Trac 0.10, r1502 of AccountManagerPlugin and HtPasswdStore for password storage. After the installation I was not able to login anymore.

Investigating a bit more, I tried to change the password with Apache htpasswd. I tried MD5 (-m) and it did not work, I tried SHA (-s) and then it worked. Next, I tried to change my password using the "My Account" form, my SHA password got overwritten with an MD5 one. Logged out, tried to log in back, voila, it didn't work. Okay, I created it again using SHA, and it worked again.

When I set my password using Apache htpasswd -m, it looks like this:

$apr1$kHY7q...$8a93cOYhvM8paFbnYSH5Y0

but if I login (of course using a SHA password) and change the password to the same passphrase as above (though they're supposed to be same), it looks like this:

$apr1$ECzYt0..$ur3.hBA.Pa6.799.H2gQc/

For the record, passphrase is "test". I guess the md5 implementation is somehow incompatible or broken, or it's me doing something extremely stupid.

Can you help, please?
--
Enver

Attachments (0)

Change History (3)

comment:1 Changed 8 years ago by mgood

  • Status changed from new to assigned
  • Summary changed from MD5 password encryption incompatible with Apache htpasswd in 0.10 branch to Write htpasswd "crypt" passwords when possible

No, the md5 implementation is equivalent. The htpasswd format uses a random "salt" value which is generated when you create a new password, so the hashes will never be the same, even if you use the same password.

However, it seem that Apache will only authenticate with md5 passwords on Windows. I'll look at supporting writing "crypt" passwords for writing when possible.

comment:2 Changed 8 years ago by mgood

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [1517]) write htpasswd entries using the crypt module when possible (fixes #883)

comment:3 Changed 8 years ago by anonymous

Thanks a lot for your help, I tried the patch and it fixed the problem for me.

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from mgood. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.