<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<!-- $LastChangedRevision$ -->
<!--
- Copyright 2003-2004 Apache Software Foundation
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
just the users listed in the files created by <code>htpasswd</code>. This
program can only manage usernames and passwords stored in a flat-file. It
can encrypt and display password information for use in other types of data
- stores, though. To use a DBM database see <a
- href="dbmmanage.html">dbmmanage</a>.</p>
+ stores, though. To use a DBM database see <program>dbmmanage</program>.</p>
<p><code>htpasswd</code> encrypts passwords using either a version of MD5
modified for Apache, or the system's <code>crypt()</code> routine. Files
<p>This manual page only lists the command line arguments. For details of
the directives necessary to configure user authentication in
- <a href="httpd.html">httpd</a> see the Apache manual, which is part of the
+ <program>httpd</program> see the Apache manual, which is part of the
Apache distribution or can be found at <a href="http://httpd.apache.org"
>http://httpd.apache.org/</a>.</p>
</summary>
-<seealso><a href="httpd.html">httpd</a></seealso>
+<seealso><program>httpd</program></seealso>
<seealso>The scripts in support/SHA1 which come with the
distribution.</seealso>
one) is omitted. It cannot be combined with the <code>-c</code> option.</dd>
<dt><code>-m</code></dt>
- <dd>Use MD5 encryption for passwords. On Windows, Netware and TPF, this is
- the default.</dd>
+ <dd>Use MD5 encryption for passwords. This is the default.</dd>
<dt><code>-d</code></dt>
- <dd>Use <code>crypt()</code> encryption for passwords. The default on all
- platforms but Windows, Netware and TPF. Though possibly supported by
- <code>htpasswd</code> on all platforms, it is not supported by the
- <a href="httpd.html">httpd</a> server on Windows, Netware and TPF.</dd>
+ <dd>Use <code>crypt()</code> encryption for passwords. This is not
+ supported by the <program>httpd</program> server on Windows and
+ Netware.</dd>
<dt><code>-s</code></dt>
<dd>Use SHA encryption for passwords. Facilitates migration from/to Netscape
<dt><code>-p</code></dt>
<dd>Use plaintext passwords. Though <code>htpasswd</code> will support
- creation on all platforms, the <a href="httpd.html">httpd</a> daemon will
- only accept plain text passwords on Windows, Netware and TPF.</dd>
+ creation on all platforms, the <program>httpd</program> daemon will
+ only accept plain text passwords on Windows and Netware.</dd>
<dt><code>-D</code></dt>
<dd>Delete user. If the username exists in the specified htpasswd file, it
</example>
<p>Adds or modifies the password for user <code>jsmith</code>. The user
- is prompted for the password. If executed on a Windows system, the password
- will be encrypted using the modified Apache MD5 algorithm; otherwise, the
- system's <code>crypt()</code> routine will be used. If the file does not
- exist, <code>htpasswd</code> will do nothing except return an error.</p>
+ is prompted for the password. The password will be encrypted using the
+ modified Apache MD5 algorithm. If the file does not exist,
+ <code>htpasswd</code> will do nothing except return an error.</p>
<example>
htpasswd -c /home/doe/public_html/.htpasswd jane
will display a message and return an error status.</p>
<example>
- htpasswd -mb /usr/web/.htpasswd-all jones Pwd4Steve
+ htpasswd -db /usr/web/.htpasswd-all jones Pwd4Steve
</example>
<p>Encrypts the password from the command line (<code>Pwd4Steve</code>)
- using the MD5 algorithm, and stores it in the specified file.</p>
+ using the <code>crypt()</code> algorithm, and stores it in the specified
+ file.</p>
</section>
<section id="security"><title>Security Considerations</title>
<em>not</em> be within the Web server's URI space -- that is, they should
not be fetchable with a browser.</p>
+ <p>This program is not safe as a setuid executable. Do <em>not</em> make it
+ setuid.</p>
+
<p>The use of the <code>-b</code> option is discouraged, since when it is
used the unencrypted password appears on the command line.</p>
+
+ <p>When using the <code>crypt()</code> algorithm, note that only the first
+ 8 characters of the password are used to form the password. If the supplied
+ password is longer, the extra characters will be silently discarded.</p>
+
+ <p>The SHA encryption format does not use salting: for a given password,
+ there is only one encrypted representation. The <code>crypt()</code> and
+ MD5 formats permute the representation by prepending a random salt string,
+ to make dictionary attacks against the passwords more difficult.</p>
</section>
<section id="restrictions"><title>Restrictions</title>
- <p>On the Windows and MPE platforms, passwords encrypted with
+ <p>On the Windows platform, passwords encrypted with
<code>htpasswd</code> are limited to no more than <code>255</code>
characters in length. Longer passwords will be truncated to 255
characters.</p>