Received: (qmail 6984 invoked by uid 2012); 27 Dec 1999 18:19:18 -0000
Message-Id: <19991227181918.6983.qmail@hyperreal.org>
Date: 27 Dec 1999 18:19:18 -0000
From: Nicholas Berry <nberry@corp.jps.net>
Reply-To: nberry@corp.jps.net
To: apbugs@hyperreal.org
Subject: htpasswd encryption method with apache 1.3.x differs from apache previous to 1.2
X-Send-Pr-Version: 3.2

>Number:         5514
>Category:       general
>Synopsis:       htpasswd encryption method with apache 1.3.x differs from apache previous to 1.2
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          closed
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Dec 27 10:20:01 PST 1999
>Last-Modified:  Mon Dec 27 13:10:01 PST 1999
>Originator:     nberry@corp.jps.net
>Organization:
>Release:        1.3.9
>Environment:
BSD/OS corpweb1.jps.net 4.0.1 BSDI BSD/OS 4.0.1 Kernel #1: Sun Dec 19 12:54:06 PST 1999     root@corpweb1.jps.net:/usr/src/sys/compile/LOCAL  i386
>Description:
Username/passwords within a htpasswd file from pre apache 1.2 are not compatible with apache 1.3.x.  I have customers with approx. 80-100 usernames and passwords in their htpasswd files and all of them will have to be recreated by hand, except that we do not have a list of username/passwords within that file.
>How-To-Repeat:
Go to www.ufaa2.com, username/password is 'Steve Todd'/gundog.  
>Fix:
Create a converter from pre apache 1.2 htpasswd files to apache 1.3 method.
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: marc
State-Changed-When: Mon Dec 27 10:26:03 PST 1999
State-Changed-Why:
They are perfectly compatible.  Normally, Apache doesn't
encrypt them itself; your OS's crypt() function does.  If you
change OSes and have a different crypt() function, then...
well... there isn't much we can do about that...

If I were you, I would look very closely at the problem to
ensure that what you think is the problem is actually the
problem and it isn't really something else.

From: Marc Slemko <marcs@znep.com>
To: Nicholas Berry <nberry@corp.jps.net>
Cc: Apache bugs database <apbugs@apache.org>
Subject: Re: general/5514: htpasswd encryption method with apache 1.3.x
 differs from apache previous to 1.2
Date: Mon, 27 Dec 1999 14:07:10 -0700 (MST)

 On Mon, 27 Dec 1999, Nicholas Berry wrote:
 
 > Does the htaccess portion of Apache 1.3.9 read the encrypted passwords any
 > differently than past versions or does it read the encrypted passwords based
 > on the crypt() library included with BSDI 4.01.
 > 
 > We were running BSDI 3.1 with Apache 1.1.3, but upgraded to BSDI 4.01 (for
 > Y2K reasons) and upgraded to Apache 1.3.9 for Name based virtual hosting.
 > Which upgrade affected the way that the system reads the .htpasswd file?
 > 
 > Thanks for your help.
 
 As I said, it uses your OS's crypt() function.  
 
 You need to figure out what the old crypt() function returned and what the
 new one does and why your OS is doing something different.
 
 > Nicholas Berry
 > JPS.Net, a Onemain.com Company
 > Network Operations Department
 > Cisco Network Engineer
 > 
 > ----- Original Message -----
 > From: <marc@apache.org>
 > To: <apache-bugdb@apache.org>; <marc@apache.org>; <nberry@corp.jps.net>
 > Sent: Monday, December 27, 1999 6:26 PM
 > Subject: Re: general/5514: htpasswd encryption method with apache 1.3.x
 > differs from apache previous to 1.2
 > 
 > 
 > > [In order for any reply to be added to the PR database, ]
 > > [you need to include <apbugs@Apache.Org> in the Cc line ]
 > > [and leave the subject line UNCHANGED.  This is not done]
 > > [automatically because of the potential for mail loops. ]
 > > [If you do not include this Cc, your reply may be ig-   ]
 > > [nored unless you are responding to an explicit request ]
 > > [from a developer.                                      ]
 > > [Reply only with text; DO NOT SEND ATTACHMENTS!         ]
 > >
 > >
 > > Synopsis: htpasswd encryption method with apache 1.3.x differs from apache
 > previous to 1.2
 > >
 > > State-Changed-From-To: open-closed
 > > State-Changed-By: marc
 > > State-Changed-When: Mon Dec 27 10:26:03 PST 1999
 > > State-Changed-Why:
 > > They are perfectly compatible.  Normally, Apache doesn't
 > > encrypt them itself; your OS's crypt() function does.  If you
 > > change OSes and have a different crypt() function, then...
 > > well... there isn't much we can do about that...
 > >
 > > If I were you, I would look very closely at the problem to
 > > ensure that what you think is the problem is actually the
 > > problem and it isn't really something else.
 > >
 > >
 > 
 
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]