Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic

crypt question

by fastkeys (Novice)
on Mar 05, 2001 at 05:03 UTC ( [id://62158]=perlquestion: print w/replies, xml ) Need Help??

fastkeys has asked for the wisdom of the Perl Monks concerning the following question:

I want to make up a .htpasswd file so I wrote the following:
open (PASSWORD, ">>/home/alex/public_html/.htpasswd") || die "Could no +t open password file"; print PASSWORD "$_[0]:" . crypt($_[1], $_[0]) . "\n"; close PASSWORD;

where $_[1] contains the password and $_[0] contains the username.

The output of this code does not match the output of Apache's htpasswd utility.

I read that $_[0] is the SALT? Am I meant to do something with the username first to make it a SALT?



Edited by mirod: added <code> tags around $_[.]

Replies are listed 'Best First'.
Re: crypt question
by merlyn (Sage) on Mar 05, 2001 at 05:18 UTC
    The salt is a random two-letter string from the set of characters allowed in a crypt string (letters, digits, slash, and dot). It was originally designed to make it hard to have pre-compiled dictionaries of crypted words. Now that crypt is so fast, making a random salt really doesn't buy you that much safety, so just use "aa", or something boring like that.

    my $crypted = crypt($password, "aa");

    And no, it won't match what was originally in the file, because the odds that the salt is already "aa" is one in 512. {grin}

    -- Randal L. Schwartz, Perl hacker

Re: crypt question
by dvergin (Monsignor) on Mar 05, 2001 at 06:45 UTC
    If you are a learn-by-doing type, you can confirm for yourself that both htpasswd and Perl's crypt() are doing the same thing. Use htpasswd and then look at the resulting encrypted password. Then at the command line, paste that encrypted word as the seed into the following line (substituting your own values for "PassWord" and "htpasswdCrypted"): perl -e 'print crypt("PassWord", "htpasswdCrypted"), "\n"' Then chop off the first two characters of the encrypted password and do it again: perl -e 'print crypt("PassWord", "ht"), "\n"' In both cases, Perl should spit back the same encryption you obtained with htpasswd. Given a seed, crypt() uses the first two characters (ignoring the rest) and does its magic -- giving back the seed as the first two characters again so that the encrypted password carries its own seed.

    You may need this capability later to authenticate a specific password if you are doing this under program control. On the other hand, Apache chooses a random seed for you and then later handles the authentication itself. No need to ask Apache to confirm a password from a given seed.

    See crypt.

Re: crypt question
by jeorgen (Pilgrim) on Mar 06, 2001 at 01:20 UTC
    An alternative to rolling your own htpasswd file is to use Lincoln Stein's HTTPD::UserManage module to do it for you.


Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://62158]
Approved by root
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others cooling their heels in the Monastery: (4)
As of 2024-07-23 15:20 GMT
Find Nodes?
    Voting Booth?

    No recent polls found

    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.