Item12074: Debian installed for 1.1.5 inserts wrong hash for htpasswd and LocalSite.cfg
Priority: Normal
Current State: Closed
Released In: n/a
Target Release: n/a
Applies To: Engine
Component: DebianPackage
Branches: Release01x01
--
BillJones - 11 Sep 2012
I guess you can say:
#!/usr/bin/perl
use strict;
my $passWord=$ARGV[0];
print crypt($passWord,$passWord)."\n";
--
BillJones - 11 Sep 2012
When doing a Debian package install the script prompts for a create a hash that is stored in .htpasswd and
LocalSite.cfg -- the hashes are identical but do not work the same.
The proper way to generate a hash for Apache to use is:
htpw=`which htpasswd` ; ${htpw} -c /var/lib/foswiki/data/.htpasswd admin
I'm not sure yet how this get populated to
LocalSite.cfg so for now I copy it manually. This also doesn't work. So what method are you using AFTER
Change Password is invoked?
--
BillJones - 11 Sep 2012
Releases of Foswiki prior to 1.1.5 generated a
crypt
hash of the password. This has some weaknesses and 1.1.5 has made changes to improve the security.
On Foswiki 1.1.5, when you use
bin/configure
to save a password, it uses a different hash than crypt. It adds salt and generates a MD5 of the password. Unfortunately this hash is not understood by Apache, so you can not copy a hash from
LocalSite.cfg
to the apache
.htaccess
file.
Foswiki still understands
crypt
encoded passwords, so the solution is to always use crypt to generate the admin password hash, understanding that the password will be truncated to 8 characters.
crypt
based password hashes can be copied between
LocalSite.cfg
and
.htaccess
.
Your last example shows using the
htpasswd
command to update
data/.htpasswd
.
Use caution here
- The example you pasted, the
-c
option will wipe out the entire contents of .htpasswd
- If you use the
htpasswd
to update the foswiki data/.htpasswd
file, note that Foswiki uses a extended .htpasswd format userid:password hash:email@address
. The htpasswd
utility will not preserve the email addresses.
--
GeorgeClark - 11 Sep 2012
Yes, but I guess I don't understand that if htpasswd is detected then that method should be used to generate the
.htpasswd hash... I would think that once you have the password more that one approah can be used as appropriate to make hashes if the initial intent is to ask for password once at install and later force user to change it -- or have $Foswiki::cfg{Password} = ''; or leave it out entirely.
--
BillJones - 11 Sep 2012
I just nuked my foswiki for a 10th time and the passwords as created by the debian installer are identical:
$Foswiki::cfg{Password} = '$apr1$9en/3c9Q$tIM7UN2/PV6dH/wDtOkjj.';
.htpasswd is identical: admin:$apr1$9en/3c9Q$tIM7UN2/PV6dH/wDtOkjj.
I think it is better to leave off $Foswiki::cfg{Password} = all together and force a passwd change.
--
BillJones - 11 Sep 2012
Wow. That's totally broken!
$apr1$
is the signature for an "Apache MD5" hash which is not supported by configure. Configure supports two algorithms for the password. Crypt, and it's own salted MD5. The reason being, neither of them require extra CPAN modules. Apache MD5 encoding would involve extra dependencies.
See
Foswiki::Configure::UI::_encode_MD5()
for the code.
--
GeorgeClark - 11 Sep 2012
Note that we can probably change this (again) for 1.1.6.
Item11821 added
Crypt::MD5
to the CPAN modules shipped with Foswiki. Configure would be able to understand the Apache hash without extra dependencies.
--
GeorgeClark - 11 Sep 2012
argh! so, we need to check, but this might mean that apache in your debian has changed the default from crypt to md5 for the
htpasswd
tool
if thats the case, there's another issue - i can't find a
libcrypt-md5-perl
on my box (but i'm not up to date yet)
so, need to talk to the debian-perl guys and look at debian apache
argh!
Bill - are you able to apply a patch?
--
SvenDowideit - 11 Sep 2012
actually - simplest initial test - can you use htpasswd to see what it outputs by default on your box?
and then , if its
$apr1
style, tell me more about what debian and if you did anything interesting to install apache
--
SvenDowideit - 11 Sep 2012
ok, confirmed, and uploading a 1.1.5_3
I think debian changed a default i didn't even realise i relied on
--
SvenDowideit - 12 Sep 2012
I confirmed your update/changes and now the Debian installer is consistent; the hash is the same is both /etc/foswiki/LocalSite.cfg /var/lib/foswiki/data/.htpasswd -- tested on 3 seperate systems. My only hint now would be that if the Admin appears not to work try commenting out /etc/foswiki/LocalSite.cfg part about Password and maybe changing it; but overall it works! Thx
--
BillJones - 12 Sep 2012