Solved

PERL automation of .htpasswd

Posted on 1998-03-10
10
545 Views
Last Modified: 2012-06-27
I have asked this question before as have many other people but I have never seen an anwser which solved my particular setup.

I need a PERL script which can automatically generate the .htpasswd file for use with .htaccess on an Apache server.  I have only got access to PERL 5.001 and do not have the facility to upgrade nor use modules other than those available with the standard PERL distribution.

At present (as I am sure you are aware), to create a username and password pair I have to telnet in and then type:-

htpasswd -c file user

enter the password twice and then for each subsequent user do the same but minus the -c switch.

What I need is a PERL script which can do this by reading a text file of names and unencrypted passwords and then create the .htpasswd file of names and encrypted passwords. I understand that htpasswd uses something along the lines of:

to64(&salt[0],rand(),2);
cpw = crypt(pw,salt);

but how to use this in a PERL script to create my .htpasswd file I have no idea.

Given the example below I need a script to convert it into the appropriate .htpasswd file:

user1:password1
user2:password2
user3:password3

Thanks in advance
0
Comment
Question by:Trevor013097
  • 5
  • 4
10 Comments
 
LVL 84

Expert Comment

by:ozo
ID: 1209871
@to64=('0'..'9','A'..'Z','a'..'z','.','/');
srand($$+time);
while( <DATA> ){
  ($user,$pw) = split/:/;
  $salt=$to64[rand(64)].$to64[rand(64)];
  $cpw = crypt($pw,$salt);
  print "$user:$cpw\n";
}
__DATA__
user1:password1
user2:password2
user3:password3

0
 
LVL 5

Author Comment

by:Trevor013097
ID: 1209872
Hi ozo,

well the code certainly generator a name/encrypted password pair but when itested it with a suitable .htaccess restriction the passwords failed.

This is the code I used to generate the password file which appeared to work okay (ie I had a file with encrypted passwords):


@to64=('0'..'9','A'..'Z','a'..'z','.','/');
srand($$+time);

################################################################
#
# Return Content-type of HTML
#
################################################################

print "Content-type: text/html\n\n";


open(PasswordData, "../docs/secret/passworddata.txt")
      or die "can't open ../docs/secret/passworddata.txt for reading because $!";
            open(PasswordFile, ">../docs/secret/.htpasswd")
                  or die "can't open ../docs/secret/.htpasswd for writing because $!";
      while( <PasswordData> ){
        ($user,$pw) = split(/:/);
        $salt=$to64[rand(64)].$to64[rand(64)];
        $cpw = crypt($pw,$salt);
#        print "$user:$cpw\n";
        print PasswordFile "$user:$cpw\n";
      }
      close(PasswordData);
close(PasswordFile);

  print "All Passwords encrypted\n\n";

1;


The passworddata.txt file looks like this:-

trev:letmein
me:password

and the resulting file (.htpasswd) looks like this:-

trev:SER8liZGw04zo
me:jCnBGraYXCZKQ

but when I put a .htaccess file in a directory and LIMIT to users *trev* and *me* the pop-up appears requesting the password but it fails with authorization required.


0
 
LVL 84

Expert Comment

by:ozo
ID: 1209873
Well, I did forget to do a
  chomp;
before the
  ($user,$pw) = split(/:/);
which would have changed the
trev:SER8liZGw04zo
to
trev:SE7gum0tJ6hP6
but
me:jCnBGraYXCZKQ
would be the same, since "password" has 8 letters already...
What does
htpasswd -c file user
create?
0
 
LVL 5

Author Comment

by:Trevor013097
ID: 1209874
Okay ozo,

I think we have a small problem.  When I added a chomp; line the new passwords generated were:-

trev:14916O3L./PTQ
me:pYw5pQf1/i11w

however when I create them using

htpasswd -c file user

and then

htpasswd file user

I get:-

trev:psTPlr1R2qDEU
me:8m7UxPXfRw7/2

I get the feeling that the PERL script is encrypting with a different key or am I barking up the wrong tree?


0
 
LVL 5

Author Comment

by:Trevor013097
ID: 1209875
ozo,

I don't fully understand this passwording thing.  Everytime I re-run the program I get a different set of name/password pairs, I assume due to the random number and variable time being used.  So how therefore does the htpasswd program on the server know how to decrypt the passowrd in order to verify it?  Am I just being stupid? (probably..)


0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 84

Expert Comment

by:ozo
ID: 1209876
the salt is the first 2 characters of cpw, so to verify it check that
crypt($pw,$cpw) eq $cpw;
The documentation for crypt explains this.

(and setting $salt to 'ps' or '8m' instead of random does give the same thing as htpasswd file user)

Sorry again for the chomp problem.
0
 
LVL 1

Expert Comment

by:hutter
ID: 1209877
Trevor,

you can't verify the passwords by generating them again. The same password entered at two different points in time will yield different output. But the encrypted passwords will be recognized. I have tried the script and it works wonderfully. The passwords are accepted by the Apache server with no problems.
0
 
LVL 5

Author Comment

by:Trevor013097
ID: 1209878
excellent ozo, it works.

Absolutley no idea what was causing me problems.  I simply recreated the password file and then the user *me* worked fine but still user *trev* failed.  ithen closed my browser and retried and it worked. I think it had something to do with the proxy I am running through, however it all works fine.  Thanks for your help, post your answer and I'll grade it.


0
 
LVL 84

Accepted Solution

by:
ozo earned 400 total points
ID: 1209879
$cpw = crypt($pw,$salt);
0
 
LVL 5

Author Comment

by:Trevor013097
ID: 1209880
Thanks ozo,

Has been nice working with you again.


0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Email validation in proper way is  very important validation required in any web pages. This code is self explainable except that Regular Expression which I used for pattern matching. I originally published as a thread on my website : http://www…
I have been pestered over the years to produce and distribute regular data extracts, and often the request have explicitly requested the data be emailed as an Excel attachement; specifically Excel, as it appears: CSV files confuse (no Red or Green h…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now