password_encryptions.html.en 12.4 KB
Newer Older
powelld's avatar
powelld committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
<!--
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
              This file is generated from xml source: DO NOT EDIT
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      -->
<title>Password Formats - Apache HTTP Server Version 2.4</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
<script src="../style/scripts/prettify.min.js" type="text/javascript">
</script>

<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<body id="manual-page"><div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.4</p>
<img alt="" src="../images/feather.png" /></div>
<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.4</a> &gt; <a href="./">Miscellaneous Documentation</a></div><div id="page-content"><div id="preamble"><h1>Password Formats</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/misc/password_encryptions.html" title="English">&nbsp;en&nbsp;</a> |
<a href="../fr/misc/password_encryptions.html" hreflang="fr" rel="alternate" title="Franais">&nbsp;fr&nbsp;</a></p>
</div>

    <p>Notes about the password encryption formats generated and understood by
    Apache.</p>
  </div>
<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#basic">Basic Authentication</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#digest">Digest Authentication</a></li>
</ul><h3>See also</h3><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="basic" id="basic">Basic Authentication</a></h2>

    <p>There are five formats that Apache recognizes for basic-authentication
    passwords. Note that not all formats work on every platform:</p>

    <dl>
       <dt>bcrypt</dt>
       <dd>"$2y$" + the result of the crypt_blowfish algorithm.
       See the APR source file
       <a href="http://svn.apache.org/viewvc/apr/apr/trunk/crypto/crypt_blowfish.c?view=markup">crypt_blowfish.c</a>
       for the details of the algorithm.</dd>

       <dt>MD5</dt>
       <dd>"$apr1$" + the result of an Apache-specific algorithm using an
       iterated (1,000 times) MD5 digest of various combinations of a
       random 32-bit salt and the password. See the APR source file
       <a href="http://svn.apache.org/viewvc/apr/apr/trunk/crypto/apr_md5.c?view=markup">apr_md5.c</a>
       for the details of the algorithm.</dd>

       <dt>SHA1</dt>
       <dd>"{SHA}" + Base64-encoded SHA-1 digest of the password. Insecure.</dd>

       <dt>CRYPT</dt>
       <dd>Unix only. Uses the traditional Unix <code>crypt(3)</code> function
       with a randomly-generated 32-bit salt (only 12 bits used) and the first 8
       characters of the password. Insecure.</dd>

       <dt>PLAIN TEXT (i.e. <em>unencrypted</em>)</dt>
       <dd>Windows &amp; Netware only. Insecure.</dd>
    </dl>

    <h3>Generating values with htpasswd</h3>

      <div class="example"><h3>bcrypt</h3><p><code>
      $ htpasswd -nbB myName myPassword<br />
      myName:$2y$05$c4WoMPo3SXsafkva.HHa6uXQZWr7oboPiC2bT/r7q1BB8I2s0BRqC
      </code></p></div>

      <div class="example"><h3>MD5</h3><p><code>
      $ htpasswd -nbm myName myPassword<br />
      myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
      </code></p></div>

      <div class="example"><h3>SHA1</h3><p><code>
      $ htpasswd -nbs myName myPassword<br />
      myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=
      </code></p></div>

      <div class="example"><h3>CRYPT</h3><p><code>
      $ htpasswd -nbd myName myPassword<br />
      myName:rqXexS6ZhobKA
      </code></p></div>

    

    <h3>Generating CRYPT and MD5 values with the OpenSSL
             command-line program</h3>
      

      <p>OpenSSL knows the Apache-specific MD5 algorithm.</p>

      <div class="example"><h3>MD5</h3><p><code>
      $ openssl passwd -apr1 myPassword<br />
      $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
      </code></p></div>

      <div class="example"><h3>CRYPT</h3><p><code>
      openssl passwd -crypt myPassword<br />
      qQ5vTYO3c8dsU
      </code></p></div>
    

    <h3>Validating CRYPT or MD5 passwords with the OpenSSL command
             line program</h3>
      
      <p>The salt for a CRYPT password is the first two characters (converted to
      a binary value). To validate <code>myPassword</code> against
      <code>rqXexS6ZhobKA</code></p>

      <div class="example"><h3>CRYPT</h3><p><code>
      $ openssl passwd -crypt -salt rq myPassword<br />
      Warning: truncating password to 8 characters<br />
      rqXexS6ZhobKA
      </code></p></div>

      <p>Note that using <code>myPasswo</code> instead of
      <code>myPassword</code> will produce the same result because only the
      first 8 characters of CRYPT passwords are considered.</p>

      <p>The salt for an MD5 password is between <code>$apr1$</code> and the
      following <code>$</code> (as a Base64-encoded binary value - max 8 chars).
      To validate <code>myPassword</code> against
      <code>$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/</code></p>

      <div class="example"><h3>MD5</h3><p><code>
      $ openssl passwd -apr1 -salt r31..... myPassword<br />
      $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
      </code></p></div>
    

    <h3>Database password fields for mod_dbd</h3>
      <p>The SHA1 variant is probably the most useful format for DBD
      authentication. Since the SHA1 and Base64 functions are commonly
      available, other software can populate a database with encrypted passwords
      that are usable by Apache basic authentication.</p>

      <p>To create Apache SHA1-variant basic-authentication passwords in various
      languages:</p>

      <div class="example"><h3>PHP</h3><p><code>
      '{SHA}' . base64_encode(sha1($password, TRUE))
      </code></p></div>

      <div class="example"><h3>Java</h3><p><code>
      "{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes()))
      </code></p></div>

      <div class="example"><h3>ColdFusion</h3><p><code>
      "{SHA}" &amp; ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex"))
      </code></p></div>

      <div class="example"><h3>Ruby</h3><p><code>
      require 'digest/sha1'<br />
      require 'base64'<br />
      '{SHA}' + Base64.encode64(Digest::SHA1.digest(password))
      </code></p></div>

      <div class="example"><h3>C or C++</h3><p><code>
      Use the APR function: apr_sha1_base64
      </code></p></div>

      <div class="example"><h3>Python</h3><p><code>
      import base64<br />
      import hashlib<br />
      "{SHA}" + format(base64.b64encode(hashlib.sha1(password).digest()))
      </code></p></div>

      <div class="example"><h3>PostgreSQL (with the contrib/pgcrypto functions
               installed)</h3><p><code>
        
        '{SHA}'||encode(digest(password,'sha1'),'base64')
      </code></p></div>
    

  </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="digest" id="digest">Digest Authentication</a></h2>
    <p>Apache recognizes one format for
    digest-authentication passwords - the MD5 hash of the string
    <code>user:realm:password</code> as a 32-character string of hexadecimal
    digits. <code>realm</code> is the Authorization Realm argument to the
    <code class="directive"><a href="../mod/mod_authn_core.html#authname">AuthName</a></code> directive in
    httpd.conf.</p>

    <h3>Database password fields for mod_dbd</h3>

      <p>Since the MD5 function is commonly available, other software can
      populate a database with encrypted passwords that are usable by Apache
      digest authentication.</p>

      <p>To create Apache digest-authentication passwords in various
      languages:</p>

      <div class="example"><h3>PHP</h3><p><code>
      md5($user . ':' . $realm . ':' .$password)
      </code></p></div>

      <div class="example"><h3>Java</h3><p><code>
      byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());<br />
      java.math.BigInteger bi = new java.math.BigInteger(1, b);<br />
      String s = bi.toString(16);<br />
      while (s.length() &lt; 32)<br />
      <span class="indent">
        s = "0" + s;
      </span>
      // String s is the encrypted password
      </code></p></div>

      <div class="example"><h3>ColdFusion</h3><p><code>
      LCase(Hash( (user &amp; ":" &amp; realm &amp; ":" &amp; password) , "MD5"))
      </code></p></div>

      <div class="example"><h3>Ruby</h3><p><code>
      require 'digest/md5'<br />
      Digest::MD5.hexdigest(user + ':' + realm + ':' + password)
      </code></p></div>

      <div class="example"><h3>PostgreSQL (with the contrib/pgcrypto functions installed)</h3><p><code>
        
        encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex')
      </code></p></div>

    
  </div></div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/misc/password_encryptions.html" title="English">&nbsp;en&nbsp;</a> |
<a href="../fr/misc/password_encryptions.html" hreflang="fr" rel="alternate" title="Franais">&nbsp;fr&nbsp;</a></p>
</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
<script type="text/javascript"><!--//--><![CDATA[//><!--
var comments_shortname = 'httpd';
var comments_identifier = 'http://httpd.apache.org/docs/2.4/misc/password_encryptions.html';
(function(w, d) {
    if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
        d.write('<div id="comments_thread"><\/div>');
        var s = d.createElement('script');
        s.type = 'text/javascript';
        s.async = true;
        s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
        (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
    }
    else { 
        d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
    }
})(window, document);
//--><!]]></script></div><div id="footer">
<p class="apache">Copyright 2017 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {
    prettyPrint();
}
//--><!]]></script>
</body></html>