You are here: Foswiki>Tasks Web>Item12074 (12 Sep 2012, SvenDowideit)Edit Attach

Item12074: Debian installed for 1.1.5 inserts wrong hash for htpasswd and LocalSite.cfg

pencil
Priority: Normal
Current State: Closed
Released In: n/a
Target Release: n/a
Applies To: Engine
Component: DebianPackage
Branches: Release01x01
Reported By: BillJones
Waiting For:
Last Change By: SvenDowideit
-- BillJones - 11 Sep 2012

I guess you can say: 

    #!/usr/bin/perl
    use strict;
     
    my $passWord=$ARGV[0];
    print crypt($passWord,$passWord)."\n";

-- BillJones - 11 Sep 2012

When doing a Debian package install the script prompts for a create a hash that is stored in .htpasswd and LocalSite.cfg -- the hashes are identical but do not work the same.
The proper way to generate a hash for Apache to use is: 
htpw=`which htpasswd` ; ${htpw} -c /var/lib/foswiki/data/.htpasswd admin
I'm not sure yet how this get populated to LocalSite.cfg so for now I copy it manually. This also doesn't work. So what method are you using AFTER Change Password is invoked?

-- BillJones - 11 Sep 2012

Releases of Foswiki prior to 1.1.5 generated a crypt hash of the password. This has some weaknesses and 1.1.5 has made changes to improve the security.

On Foswiki 1.1.5, when you use bin/configure to save a password, it uses a different hash than crypt. It adds salt and generates a MD5 of the password. Unfortunately this hash is not understood by Apache, so you can not copy a hash from LocalSite.cfg to the apache .htaccess file.

Foswiki still understands crypt encoded passwords, so the solution is to always use crypt to generate the admin password hash, understanding that the password will be truncated to 8 characters. crypt based password hashes can be copied between LocalSite.cfg and .htaccess.

Your last example shows using the htpasswd command to update data/.htpasswd. Use caution here
  • The example you pasted, the -c option will wipe out the entire contents of .htpasswd
  • If you use the htpasswd to update the foswiki data/.htpasswd file, note that Foswiki uses a extended .htpasswd format userid:password hash:email@address. The htpasswd utility will not preserve the email addresses.

-- GeorgeClark - 11 Sep 2012

Yes, but I guess I don't understand that if htpasswd is detected then that method should be used to generate the .htpasswd hash... I would think that once you have the password more that one approah can be used as appropriate to make hashes if the initial intent is to ask for password once at install and later force user to change it -- or have $Foswiki::cfg{Password} = ''; or leave it out entirely.

-- BillJones - 11 Sep 2012

I just nuked my foswiki for a 10th time and the passwords as created by the debian installer are identical:

$Foswiki::cfg{Password} = '$apr1$9en/3c9Q$tIM7UN2/PV6dH/wDtOkjj.'; .htpasswd is identical: admin:$apr1$9en/3c9Q$tIM7UN2/PV6dH/wDtOkjj.

I think it is better to leave off $Foswiki::cfg{Password} = all together and force a passwd change.

-- BillJones - 11 Sep 2012

Wow. That's totally broken! $apr1$ is the signature for an "Apache MD5" hash which is not supported by configure. Configure supports two algorithms for the password. Crypt, and it's own salted MD5. The reason being, neither of them require extra CPAN modules. Apache MD5 encoding would involve extra dependencies.

See Foswiki::Configure::UI::_encode_MD5() for the code.

-- GeorgeClark - 11 Sep 2012

Note that we can probably change this (again) for 1.1.6. Item11821 added Crypt::MD5 to the CPAN modules shipped with Foswiki. Configure would be able to understand the Apache hash without extra dependencies.

-- GeorgeClark - 11 Sep 2012

argh! so, we need to check, but this might mean that apache in your debian has changed the default from crypt to md5 for the htpasswd tool

if thats the case, there's another issue - i can't find a libcrypt-md5-perl on my box (but i'm not up to date yet)

so, need to talk to the debian-perl guys and look at debian apache

argh!

Bill - are you able to apply a patch?

-- SvenDowideit - 11 Sep 2012

actually - simplest initial test - can you use htpasswd to see what it outputs by default on your box?

and then , if its $apr1 style, tell me more about what debian and if you did anything interesting to install apache

-- SvenDowideit - 11 Sep 2012

ok, confirmed, and uploading a 1.1.5_3

I think debian changed a default i didn't even realise i relied on

-- SvenDowideit - 12 Sep 2012

I confirmed your update/changes and now the Debian installer is consistent; the hash is the same is both /etc/foswiki/LocalSite.cfg /var/lib/foswiki/data/.htpasswd -- tested on 3 seperate systems. My only hint now would be that if the Admin appears not to work try commenting out /etc/foswiki/LocalSite.cfg part about Password and maybe changing it; but overall it works! Thx smile

-- BillJones - 12 Sep 2012
 

ItemTemplate edit

Summary Debian installed for 1.1.5 inserts wrong hash for htpasswd and LocalSite.cfg
ReportedBy BillJones
Codebase 1.1.5
SVN Range
AppliesTo Engine
Component DebianPackage
Priority Normal
CurrentState Closed
WaitingFor
Checkins distro:9b1a3f63cde0
TargetRelease n/a
ReleasedIn n/a
CheckinsOnBranches Release01x01
trunkCheckins
Release01x01Checkins distro:9b1a3f63cde0
Edit  | Attach | Print version | History: r12 < r11 < r10 < r9 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r12 - 12 Sep 2012, SvenDowideit
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy