<p>This document acts as a reference page for most of the relevant
standards that Apache follows.</p>
</dd>
+
+ <dt><a href="password_encryptions.html">Password Encryption Formats</a></dt>
+
+ <dd>
+ <p>Discussion of the various ciphers supported by Apache for
+ authentication purposes.</p>
+ </dd>
</dl>
</div>
<p>This document acts as a reference page for most of the relevant
standards that Apache follows.</p>
</dd>
+
+ <dt><a href="password_encryptions.html">Password Encryption Formats</a></dt>
+
+ <dd>
+ <p>Discussion of the various ciphers supported by Apache for
+ authentication purposes.</p>
+ </dd>
</dl>
</summary>
<dd>Windows, BEOS, & Netware only.</dd>
<dt>CRYPT</dt>
- <dd>Unix only. Calls the Unix crypt(3) function with a randomly-generated
- 32-bit salt and the password.</dd>
+ <dd>Unix only. Uses the traditional Unix <code>crypt(3)</code> function
+ with a randomly-generated 32-bit salt (only 12 bits used) and the first 8
+ characters of the password.</dd>
<dt>SHA1</dt>
<dd>"{SHA}" + Base64-encoded SHA-1 digest of the password.</dd>
<dt>MD5</dt>
<dd>"$apr1$" + the result of an Apache-specific algorithm using an
iterated (1,000 times) MD5 digest of various combinations of a
- randomly-generated 32-bit salt and the password. See the APR source file
+ randoml 32-bit salt and the password. See the APR source file
<a href="http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup">apr_md5.c</a>
for the details of the algorithm.</dd>
</dl>
<h3>Validating CRYPT or MD5 passwords with the OpenSSL command
line program</h3>
- <p>The salt for a CRYPT password is the first two characters (as a
- Base64-encoded binary value). To validate <code>myPassword</code> against
+ <p>The salt for a CRYPT password is the first two characters (converted to
+ a binary value). To validate <code>myPassword</code> against
<code>rqXexS6ZhobKA</code></p>
<div class="example"><h3>CRYPT</h3><p><code>
<h3>Database password fields for mod_dbd</h3>
<p>The SHA1 variant is probably the most useful format for DBD
- authentication. Since the SHA1-hash and Base64-encoding functions are
- commonly available, other software can populate a database with encrypted
- passwords that are usable by Apache basic authentication.</p>
+ authentication. Since the SHA1 and Base64 functions are commonly
+ available, other software can populate a database with encrypted passwords
+ that are usable by Apache basic authentication.</p>
<p>To create Apache SHA1-variant basic-authentication passwords in various
languages:</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="digest" id="digest">Digest Authentication</a></h2>
- <p>There is only one format that Apache recognizes for
- digest-authentication passwords. This format is the MD5 hash of the string
+ <p>Apache recognizes one format for
+ digest-authentication passwords - the MD5 hash of the string
<code>user:realm:password</code> as a 32-character string of hexadecimal
digits. <code>realm</code> is the Authorization Realm argument to the
<code class="directive"><a href="../mod/mod_authn_core.html#authname">AuthName</a></code> directive in
<h3>Database password fields for mod_dbd</h3>
- <p>Since the MD5-hash function is commonly available, other software can
+ <p>Since the MD5 function is commonly available, other software can
populate a database with encrypted passwords that are usable by Apache
digest authentication.</p>
<span class="indent">
s = "0" + s;
</span>
- // String s is the digest hash
+ // String s is the encrypted password
</code></p></div>
<div class="example"><h3>ColdFusion</h3><p><code>
Digest::MD5.hexdigest(user + ':' + realm + ':' + password)
</code></p></div>
+ <div class="example"><h3>PostgreSQL (with the contrib/pgcrypto functions installed)</h3><p><code>
+
+ encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex')
+ </code></p></div>
+
</div></div>
<div class="bottomlang">
<dd>Windows, BEOS, & Netware only.</dd>
<dt>CRYPT</dt>
- <dd>Unix only. Calls the Unix crypt(3) function with a randomly-generated
- 32-bit salt and the password.</dd>
+ <dd>Unix only. Uses the traditional Unix <code>crypt(3)</code> function
+ with a randomly-generated 32-bit salt (only 12 bits used) and the first 8
+ characters of the password.</dd>
<dt>SHA1</dt>
<dd>"{SHA}" + Base64-encoded SHA-1 digest of the password.</dd>
<dt>MD5</dt>
<dd>"$apr1$" + the result of an Apache-specific algorithm using an
iterated (1,000 times) MD5 digest of various combinations of a
- randomly-generated 32-bit salt and the password. See the APR source file
+ randoml 32-bit salt and the password. See the APR source file
<a href="http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup">apr_md5.c</a>
for the details of the algorithm.</dd>
</dl>
<section>
<title>Validating CRYPT or MD5 passwords with the OpenSSL command
line program</title>
- <p>The salt for a CRYPT password is the first two characters (as a
- Base64-encoded binary value). To validate <code>myPassword</code> against
+ <p>The salt for a CRYPT password is the first two characters (converted to
+ a binary value). To validate <code>myPassword</code> against
<code>rqXexS6ZhobKA</code></p>
<example><title>CRYPT</title>
<section><title>Database password fields for mod_dbd</title>
<p>The SHA1 variant is probably the most useful format for DBD
- authentication. Since the SHA1-hash and Base64-encoding functions are
- commonly available, other software can populate a database with encrypted
- passwords that are usable by Apache basic authentication.</p>
+ authentication. Since the SHA1 and Base64 functions are commonly
+ available, other software can populate a database with encrypted passwords
+ that are usable by Apache basic authentication.</p>
<p>To create Apache SHA1-variant basic-authentication passwords in various
languages:</p>
</section>
<section id="digest"><title>Digest Authentication</title>
- <p>There is only one format that Apache recognizes for
- digest-authentication passwords. This format is the MD5 hash of the string
+ <p>Apache recognizes one format for
+ digest-authentication passwords - the MD5 hash of the string
<code>user:realm:password</code> as a 32-character string of hexadecimal
digits. <code>realm</code> is the Authorization Realm argument to the
<directive module="mod_authn_core">AuthName</directive> directive in
<section><title>Database password fields for mod_dbd</title>
- <p>Since the MD5-hash function is commonly available, other software can
+ <p>Since the MD5 function is commonly available, other software can
populate a database with encrypted passwords that are usable by Apache
digest authentication.</p>
<indent>
s = "0" + s;
</indent>
- // String s is the digest hash
+ // String s is the encrypted password
</example>
<example><title>ColdFusion</title>
Digest::MD5.hexdigest(user + ':' + realm + ':' + password)
</example>
+ <example>
+ <title>PostgreSQL (with the contrib/pgcrypto functions installed)</title>
+ encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex')
+ </example>
+
</section>
</section>
projects / apache / commitdiff