How to crypt like htpasswd

KJedi · September 14, 2005, 7:37pm

My hoster doesn’t allow apache to run htpasswd command, but I use .htaccess authentification. So, I am to write to the file manually. I know it’s format, the only problem is to generate the same password as htpasswd does.
There is written, than htpasswd uses crypt function, but when I use crypt function from PHP, I get different result. Maybe, the problem is that I don’t provide correct SALT for the crypt() function…

JeffIsGood · September 14, 2005, 8:27pm

I believe that htpasswd should be able to use md5 (probably the output you are getting from crypt()). But, if you want to use UNIX DES, which is the standard for htpasswd, then you can by supplying a 2 character salt to the crypt function:


crypt('blah', 'ab')

‘blah’ is your password, ‘ab’ is your salt (you should randomize your salt beforehand).

KJedi · September 14, 2005, 8:57pm

Ok. I can use it in such a way, BUT! How can I do THE SAME result string as htpasswd does? How can I generate password and write it to the .htpasswd file in the way that apache could work with it? Or maybe, I’m not understanding the principle of Apache encryption…

From you post, I can make a conclusion, that if I use


 exec('htpasswd -b /path/to/.htpasswd username pass');

and


 $fl = fopen('/path/to/.htpasswd', 'a');
 $str = 'username:'.crypt('pass', 'ab');
 fwrite($fl, $str);
 fclose($fl);

I will receive the same result an this file will work.
Am I right?

If so, then I don’t understand, how apache determines, if the password is right. To get the same hash it should take my pass and crypt() it with the same salt. And if it doesn’t know salt, it will use random one, and if it will not match mine (that I used to encrypt it), hash will not be the same, authentification will fail.
Am I right?
If I am right in both cases, then I am stupid…

JeffIsGood · September 14, 2005, 9:19pm

You will not end up with the same result since ‘htpasswd’ will use a random salt. The good news is, htpasswd/htaccess is pretty smart When you store a password in there with a salt, it knows that the salt is the first two letters, so it can always verify logins no matter what the salt is.

For authentication, what it does is take the password input to it, and take the salt from the .htpasswd file, and encrypt the password using that salt. If the encrypted string matches the encrypted string in the .htpasswd file, it allows the login.

Did I explain that OK, or are you still confused?

KJedi · September 15, 2005, 1:08pm

As far as I undersatnd, when I write manually, I should write the such string:


 $salt = 'ab';
 $login = 'username';
 $pass = 'userpass';
 $ht_string = $login.':'.$salt.crypt($pass, $salt);
 //and then write this string to the file

KJedi · September 15, 2005, 1:10pm

And if I want to use MD5 algorythm to encrypt passwords in .htpass file? how should I use crypt() and where write salt?

JeffIsGood · September 15, 2005, 8:05pm

If you are on Linux, simply call crypt(‘pass’) and it will default to using salted md5. You write this into the .htpasswd file the same way.

KJedi · September 16, 2005, 5:00pm

Here is a class that works with .htpass file like htpasswd utility using UNIX DES algoruthm
http://www.sitepoint.com/forums/showthread.php?p=2167689

JeffIsGood · September 16, 2005, 5:19pm

Cool, looks nice!