Opened 10 years ago

Closed 10 years ago

Write htpasswd "crypt" passwords when possible

Reported by: Owned by: e@… Matt Good normal AccountManagerPlugin major e@… 0.10

Description

I moved my existing Trac 0.10 installation to another server and reinstalled all the plugins. The old server crashed so I'm not sure which version of AccountManagerPlugin I had installed. Now I'm using Trac 0.10, r1502 of AccountManagerPlugin and HtPasswdStore for password storage. After the installation I was not able to login anymore.

Investigating a bit more, I tried to change the password with Apache htpasswd. I tried MD5 (-m) and it did not work, I tried SHA (-s) and then it worked. Next, I tried to change my password using the "My Account" form, my SHA password got overwritten with an MD5 one. Logged out, tried to log in back, voila, it didn't work. Okay, I created it again using SHA, and it worked again.

When I set my password using Apache htpasswd -m, it looks like this:

$apr1$kHY7q...$8a93cOYhvM8paFbnYSH5Y0  but if I login (of course using a SHA password) and change the password to the same passphrase as above (though they're supposed to be same), it looks like this: $apr1$ECzYt0..$ur3.hBA.Pa6.799.H2gQc/


For the record, passphrase is "test". I guess the md5 implementation is somehow incompatible or broken, or it's me doing something extremely stupid.

Can you help, please? -- Enver

comment:1 Changed 10 years ago by Matt Good

Status: new → assigned MD5 password encryption incompatible with Apache htpasswd in 0.10 branch → Write htpasswd "crypt" passwords when possible

No, the md5 implementation is equivalent. The htpasswd format uses a random "salt" value which is generated when you create a new password, so the hashes will never be the same, even if you use the same password.

However, it seem that Apache will only authenticate with md5 passwords on Windows. I'll look at supporting writing "crypt" passwords for writing when possible.

comment:2 Changed 10 years ago by Matt Good

Resolution: → fixed assigned → closed

(In [1517]) write htpasswd entries using the crypt module when possible (fixes #883)

comment:3 Changed 10 years ago by anonymous

Thanks a lot for your help, I tried the patch and it fixed the problem for me.

Modify Ticket

Action
as closed The owner will remain Matt Good.
The resolution will be deleted. Next status will be 'reopened'.