Page 1 of 1

apache: enable password encryption

PostPosted: 23. July 2010 15:10
by jonas-e
Hi there!

I have xampp locally on my winxp machine for development and my remote host provides a linux-based platform.

I have made an .htacces-file and an .thpasswd-file in a directory - except on my xampp-installation the .htpasswd is not encrypted - i.e.
Code: Select all
user:user

While on the remote host:
Code: Select all
user:hal/Gtt93qGmc


That makes it a lot harder to keep my dev-site and production-site in sync. Any suggestions how to enbale the password-encryption on my local apache? (I've tried googling quite a bit of course).

/cheers

Re: apache: enable password encryption

PostPosted: 23. July 2010 23:24
by JonB
In the apache\bin folder is the commandline utility htpasswd.exe, which may offer a solution.

BUT I'm not 100% on board with this yet. :roll:

:mrgreen:

Re: apache: enable password encryption

PostPosted: 24. July 2010 12:36
by jonas-e
Hello again - and thanks for the advice both of you!

Creating new users+password works fine this way according to your suggestions:
Code: Select all
htpasswd.exe -b .htpasswd user user


But that is not really what I need. My xampp/apache installation does not USE encrypted passwords. If put the following in my .htpasswd on my localhost:
Code: Select all
user:$apr1$fz7EFMWw$yF7b/ocHZvtmvqOy42SpZ.

- my localhost will prompt me for it and I will have to type the value "$apr1$fz7EFMWw$yF7b/ocHZvtmvqOy42SpZ." into the dialogue - while on the remote host I type the value "user" into it - both servers using the EXACT same .htpasswd file! (tried both ANSI and UTF-8 encoding the file - doesn't make a difference).

So what I need is to configure my localhost apache to USE the encryption ... :?

Re: apache: enable password encryption

PostPosted: 25. July 2010 21:42
by JonB
Hi

I kinda held my fire earlier to see if your experiment would bear fruit where mine have not so far.

Below is my original draft: (BUT I had not taken time to do the test you just did That was why I said this:
"I'm not 100% on-board with this yet". - it was on the agenda for this afternoon, now that laundry is done - but you beat me to it. :shock: )
----------------------------->
Using basic authentication on WINDOWS - AFAIK you can't, I'm pretty sure from my research that the Apache (ASF) released mod_auth is reliant on a *nix system call that is not available on Windows (base64encode). There is an IIS-specific handler for this, but I am unaware of any for the ASF Apache for Windows binaries. If you (or anyone else) locate(s) one, I'd be very interested myself. :!:

I'm a cross platform specialist (IIS & Apache), so I have the same issues, :wink:

Good Luck
8)

also see this:
Code: Select all
http://msdn.microsoft.com/en-us/library/aa388178(VS.85).aspx

http://helicontech.blogspot.com/2009/02 ... ation.html
(methinks wole is wong LOL)

:mrgreen:

Re: apache: enable password encryption

PostPosted: 27. July 2010 10:07
by jonas-e
Thanks a bundle JonB. I thought there was a straight forward easy solution for this - e.g. "Just add this line to the .conf-file and restart Apache". But apparently there isn't. To bad .. :(

Well, it's a luxury problem - my local site doesn't have to be protected. I just have to remember to rename my tmp.htacces to .htacces on the remote host ...

Re: apache: enable password encryption

PostPosted: 27. July 2010 13:01
by JonB
Yanno - you might have just pointed out a 'fix' -

the password and access directives files can have any name you choose actually --

Presto - no renaming !

8)

Re: apache: enable password encryption

PostPosted: 27. July 2010 15:32
by jonas-e
Eeh - I don't get that ..?

Re: apache: enable password encryption

PostPosted: 27. July 2010 22:18
by JonB
You can change the file naming convention for access directives in Apache.

Its an Apache directive itself, LOL sorta: foo(foo)

God - that it bad - but I always get a kick out of the 'foo' stuff. HEY I did Unix befo' there was a 'doze' - I can make stupid unix jokes.

OK seriously its - AccessFileName

http://httpd.apache.org/docs/2.0/mod/core.html

sooo - you have your XAMPPY set to use .htwin

AccessFileName .htwin

I'm pretty sure would need to be added to httpd.conf on local XAMPP. (or it can be donr in a vhost)

THEN you make your directives in the .htwin files point at the plaintext (unencrypted) .htwinpassword file.

And leave your LAMP 'real server' set to read .htaccess and .htpassword (as it does now)

BOTH are protected against download by a FILES block by default.

(drumroll) ~ Ta DA ~

the two directive sets would be mirrors OTHER than the password filenames.

One downside -- still have to sync them at least once.


I have a JonB confidence level of 99.5% on this one...

:mrgreen:

where's my Guiness? hehehe

Re: apache: enable password encryption

PostPosted: 28. July 2010 05:48
by Altrea
JonB wrote:I'm pretty sure would need to be added to httpd.conf on local XAMPP

apache\conf\extra\httpd-default.conf line 45 ;)

JonB wrote:I have a JonB confidence level of 99.5% on this one...

:mrgreen: :mrgreen:

Re: apache: enable password encryption

PostPosted: 28. July 2010 06:41
by jonas-e
Thanks for your help folks!