Opened 11 years ago

Closed 11 years ago

Last modified 9 years ago

#883 closed defect (fixed)

Write htpasswd "crypt" passwords when possible

Reported by: e@… Owned by: Matt Good
Priority: normal Component: AccountManagerPlugin
Severity: major Keywords:
Cc: e@… Trac Release: 0.10


I moved my existing Trac 0.10 installation to another server and reinstalled all the plugins. The old server crashed so I'm not sure which version of AccountManagerPlugin I had installed. Now I'm using Trac 0.10, r1502 of AccountManagerPlugin and HtPasswdStore for password storage. After the installation I was not able to login anymore.

Investigating a bit more, I tried to change the password with Apache htpasswd. I tried MD5 (-m) and it did not work, I tried SHA (-s) and then it worked. Next, I tried to change my password using the "My Account" form, my SHA password got overwritten with an MD5 one. Logged out, tried to log in back, voila, it didn't work. Okay, I created it again using SHA, and it worked again.

When I set my password using Apache htpasswd -m, it looks like this:


but if I login (of course using a SHA password) and change the password to the same passphrase as above (though they're supposed to be same), it looks like this:


For the record, passphrase is "test". I guess the md5 implementation is somehow incompatible or broken, or it's me doing something extremely stupid.

Can you help, please? -- Enver

Attachments (0)

Change History (3)

comment:1 Changed 11 years ago by Matt Good

Status: newassigned
Summary: MD5 password encryption incompatible with Apache htpasswd in 0.10 branchWrite htpasswd "crypt" passwords when possible

No, the md5 implementation is equivalent. The htpasswd format uses a random "salt" value which is generated when you create a new password, so the hashes will never be the same, even if you use the same password.

However, it seem that Apache will only authenticate with md5 passwords on Windows. I'll look at supporting writing "crypt" passwords for writing when possible.

comment:2 Changed 11 years ago by Matt Good

Resolution: fixed
Status: assignedclosed

(In [1517]) write htpasswd entries using the crypt module when possible (fixes #883)

comment:3 Changed 11 years ago by anonymous

Thanks a lot for your help, I tried the patch and it fixed the problem for me.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Matt Good.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.