Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 572
  • Last Modified:

PERL automation of .htpasswd

I have asked this question before as have many other people but I have never seen an anwser which solved my particular setup.

I need a PERL script which can automatically generate the .htpasswd file for use with .htaccess on an Apache server.  I have only got access to PERL 5.001 and do not have the facility to upgrade nor use modules other than those available with the standard PERL distribution.

At present (as I am sure you are aware), to create a username and password pair I have to telnet in and then type:-

htpasswd -c file user

enter the password twice and then for each subsequent user do the same but minus the -c switch.

What I need is a PERL script which can do this by reading a text file of names and unencrypted passwords and then create the .htpasswd file of names and encrypted passwords. I understand that htpasswd uses something along the lines of:

to64(&salt[0],rand(),2);
cpw = crypt(pw,salt);

but how to use this in a PERL script to create my .htpasswd file I have no idea.

Given the example below I need a script to convert it into the appropriate .htpasswd file:

user1:password1
user2:password2
user3:password3

Thanks in advance
0
Trevor013097
Asked:
Trevor013097
  • 5
  • 4
1 Solution
 
ozoCommented:
@to64=('0'..'9','A'..'Z','a'..'z','.','/');
srand($$+time);
while( <DATA> ){
  ($user,$pw) = split/:/;
  $salt=$to64[rand(64)].$to64[rand(64)];
  $cpw = crypt($pw,$salt);
  print "$user:$cpw\n";
}
__DATA__
user1:password1
user2:password2
user3:password3

0
 
Trevor013097Author Commented:
Hi ozo,

well the code certainly generator a name/encrypted password pair but when itested it with a suitable .htaccess restriction the passwords failed.

This is the code I used to generate the password file which appeared to work okay (ie I had a file with encrypted passwords):


@to64=('0'..'9','A'..'Z','a'..'z','.','/');
srand($$+time);

################################################################
#
# Return Content-type of HTML
#
################################################################

print "Content-type: text/html\n\n";


open(PasswordData, "../docs/secret/passworddata.txt")
      or die "can't open ../docs/secret/passworddata.txt for reading because $!";
            open(PasswordFile, ">../docs/secret/.htpasswd")
                  or die "can't open ../docs/secret/.htpasswd for writing because $!";
      while( <PasswordData> ){
        ($user,$pw) = split(/:/);
        $salt=$to64[rand(64)].$to64[rand(64)];
        $cpw = crypt($pw,$salt);
#        print "$user:$cpw\n";
        print PasswordFile "$user:$cpw\n";
      }
      close(PasswordData);
close(PasswordFile);

  print "All Passwords encrypted\n\n";

1;


The passworddata.txt file looks like this:-

trev:letmein
me:password

and the resulting file (.htpasswd) looks like this:-

trev:SER8liZGw04zo
me:jCnBGraYXCZKQ

but when I put a .htaccess file in a directory and LIMIT to users *trev* and *me* the pop-up appears requesting the password but it fails with authorization required.


0
 
ozoCommented:
Well, I did forget to do a
  chomp;
before the
  ($user,$pw) = split(/:/);
which would have changed the
trev:SER8liZGw04zo
to
trev:SE7gum0tJ6hP6
but
me:jCnBGraYXCZKQ
would be the same, since "password" has 8 letters already...
What does
htpasswd -c file user
create?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Trevor013097Author Commented:
Okay ozo,

I think we have a small problem.  When I added a chomp; line the new passwords generated were:-

trev:14916O3L./PTQ
me:pYw5pQf1/i11w

however when I create them using

htpasswd -c file user

and then

htpasswd file user

I get:-

trev:psTPlr1R2qDEU
me:8m7UxPXfRw7/2

I get the feeling that the PERL script is encrypting with a different key or am I barking up the wrong tree?


0
 
Trevor013097Author Commented:
ozo,

I don't fully understand this passwording thing.  Everytime I re-run the program I get a different set of name/password pairs, I assume due to the random number and variable time being used.  So how therefore does the htpasswd program on the server know how to decrypt the passowrd in order to verify it?  Am I just being stupid? (probably..)


0
 
ozoCommented:
the salt is the first 2 characters of cpw, so to verify it check that
crypt($pw,$cpw) eq $cpw;
The documentation for crypt explains this.

(and setting $salt to 'ps' or '8m' instead of random does give the same thing as htpasswd file user)

Sorry again for the chomp problem.
0
 
hutterCommented:
Trevor,

you can't verify the passwords by generating them again. The same password entered at two different points in time will yield different output. But the encrypted passwords will be recognized. I have tried the script and it works wonderfully. The passwords are accepted by the Apache server with no problems.
0
 
Trevor013097Author Commented:
excellent ozo, it works.

Absolutley no idea what was causing me problems.  I simply recreated the password file and then the user *me* worked fine but still user *trev* failed.  ithen closed my browser and retried and it worked. I think it had something to do with the proxy I am running through, however it all works fine.  Thanks for your help, post your answer and I'll grade it.


0
 
ozoCommented:
$cpw = crypt($pw,$salt);
0
 
Trevor013097Author Commented:
Thanks ozo,

Has been nice working with you again.


0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now