Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Perl and Apache Configuration Files

by newrisedesigns (Curate)
on Jan 07, 2002 at 18:49 UTC ( [id://136832]=perlquestion: print w/replies, xml ) Need Help??

newrisedesigns has asked for the wisdom of the Perl Monks concerning the following question:

Hi all,

After attempting to work on a CGI program that would allow me to set .htaccess and .htpasswd files remotely through a secure form, I hit a snag.

Writing the .htaccess files were no problem, however, I was a bit stuck when it came to .htpasswd.

.htpasswd files are in username:password format, with the first two letters of the password being the salt that you would use in Perl's crypt function. When htpasswd generates a file, however, it seems that the salt is random.

I tried using HTTPD::UserAgent (found out about it here), but it's not installed on this server, and I don't have the ability to install it (I don't even have telnet/SSH access :( just FTP.)

If the .htpasswd files do use a random salt, would it be worthwhile to have perl generate the .htpasswd file or should (if it's possible) I pass the information to htpasswd through a pipe (last resort)?

Thanks in advance for your help.

Replies are listed 'Best First'.
Re: Perl and Apache Configuration Files
by arhuman (Vicar) on Jan 07, 2002 at 18:53 UTC

      Thanks for the link to the Apache CPAN link. I just attempted to "use" the module in my program, and it returns a 500 error.

      I'm going take another look around to see if I can find something else.

      I also attempted using a standard string as a salt, and the server doesn't recognize the password (but does acknowledge the generated .htaccess and the .htpasswd file).

Re: Perl and Apache Configuration Files
by rob_au (Abbot) on Jan 08, 2002 at 04:01 UTC
    Just to throw my two bits into the ring, the following is a piece of code that I have used for just what you ask, generating username and password entries for htpasswd files - I think I lifted this code originally from the first edition of Learning Perl.

    #!/usr/bin/perl -Tw use strict; @salt = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/'); my ($username, $password) = @ARGV; my $now = time; my ($pert1, $pert2) = unpack("C2", $username); my $salt = $salt[($now / 604800 + $pert1 + $pert2) % 64] . $salt[$now +% 64]; $password = crypt($password, $salt); print STDOUT "$username:$password\n"; exit 0;

    The salt for encryption in this case is based upon the first two characters of the username and the current system time.

     

    perl -e 's&&rob@cowsnet.com.au&&&split/[@.]/&&s&.com.&_&&&print'

Re: Perl and Apache Configuration Files
by Anonymous Monk on Jan 08, 2002 at 00:38 UTC
    Salts are usually supposed change. They're not so much random as calculated by a formula which will be different everytime (which is the whole idea behind a salt), and different things that use crypt use thier own formula. As far as I know it really shouldn't matter what salt you use when you create a password though, because when decrypting the passwords it uses those first two letters as the salt to decrypt with. I don't know much about the htpasswd file, but I know most Unix systems use the current time as a salt. Here is an example: $salt = substr ( time () , -8 ); I just wrote a passwd generating program on Solaris 2.6 using this salt, which works fine. If the password won't take, perhaps you're using the wrong encryption for htpasswd.
Re: Perl and Apache Configuration Files
by newrisedesigns (Curate) on Jan 08, 2002 at 19:20 UTC

    Thanks for the info concerning salt. Very helpful.

    I understood from before that the salt was inbedded within the password itself, as the first two characters of the password. It shouldn't matter what the salt is, cause any person or program can find out what it is through the first two characters.

    Yet my passwords are still not being recognized. The browser prompts the user for the password, but nothing seems to work.

    Documentation on Apache's web site doesn't cover manipulation of .htpasswd files at all, other than generating them with the htpasswd program.

    Thanks for all your help, but this project is going to have to go on the back burner for awhile... there's other CGI programs to be written!

    John J Reiser
    newrisedesigns.com

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://136832]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others about the Monastery: (2)
As of 2024-06-15 15:09 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?
    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.