Apache-Password length! (only 8 or less chars are recognized) 1

[rishath]

Hi! I have installed and configured Apache2 on Solaris 8. For the password protection, I created passwords using crypt() as,

perl -e 'print "06155:";print crypt("zhuiwra6155", SA);print "\n";'

I have done password authentication within the httpd.conf as below,

<Directory "/export/home/secret">
    Options FollowSymLinks
    AllowOverride None
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile /export/home/passwd/.htpasswd
    Require valid-user
</Directory>

The password authentication works fine, but passwords with characters only, less than or equal to eight are taken into consideration by Apache i.e., If I have my password as 123456789, I get authenticated even if I give 12345678 . Only 8 chars are recognized.
How can I rectify this or is this a default property of apache?

 

[sleipnir214]

It's not Apache. Rather, it's crypt().

Perl's crypt() function uses the system's crypt function, which on a lot of systems produces only 8-byte-significant hashes.

Apache can also use MD5 hashes for passwords, and MD5 can handle longer passwords.





Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[sleipnir214]

Did your Apache compilation also create an app called "htpasswd"? It is designed to manipulate Apache's password files.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[rishath]

So, that was the problem? Okay, so how do I create MD5 hashes for my passwords?

 

[sleipnir214]

Did you see my second post in this thread?



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[rishath]

Yeah! I do have htpasswd app in my apache bin directory. does this create MD5 hashes?

 

[sleipnir214]

It should be able to.

But invoking htpasswd with no input parameters should display its internal help.



Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[rishath]

Thanks, I'll try that!