UBB.Developers Forums UBB.threads 7 Development How Do I? password encryption and .htaccess authentication

Hi,

I have been using a perl script that was posted here a long time ago (w3t days) to synchronize a .htaccess password file with the passwords in the forum database.

After upgrading from 5.4.3 to 6.1.1 the script still works and creates the userfile.
However the password encryption has changed to md5 on ubbt. As new users are registered and old users change their passwords the database contains passwords encryped with the old and new methods.

Now the password file the script creates contains some passwords encrypted the old way, and some passwords encrypted with md5 the new way.

Since i used AuthType Basic in my .htaccess the newly md5 encrypted passwords are not recognized.

If I make the proper changes to use AuthType Digest is it backwards compatible to also accept the old style encrypted passwords? If that is not possible. Is there a way i can tell the database to re-encrypt everyones current passwords with md5? so i can exclusively use AuthType Digest.

Thanks


Here is the script i use:

#!/usr/bin/perl
################################################
# A script for converting users in the w3t_Users table into an
# .htaccess file
# Edit the $path variable and run this from the command line.
# Make sure you have permission to create and write to files in the
# directory you specify with $path.
# Rick Baker [][email protected][/]
################################################
use w3tvars qw(%config);
use w3t qw($dbh);
use strict;
# --------------------------
# Path to the .htaccess file
my $path = "/home/httpd/databaseusers/dbusers";
# -----------------------
# Connect to the database
w3t::db_connect();
# -----------------------------------------------------------
# Grab all of the usernames and passwords out of the database
my $query = qq!
SELECT U_Username,U_Password
FROM w3t_Users
!; my $sth = $dbh -> prepare ($query) or die "Query syntax error: $DBI::errstr. Query: $query";
$sth -> execute() or die "Can't execute query: $query. Reason: $DBI::errstr";
# ------------------------------------------------
# Now we cycle through the rows and print them out
open (FILE,">$path") or die "Can't open $path for writing.";
while (my ($User,$Password) = $sth -> fetchrow_array) {
print FILE "$User".":"."$Password\n";
}
close (FILE);

Although I am not an expert in .htaccess files, I have to say that what you are trying to do is mighty difficult.

I was thinking of creating a program that would check all passwords in the database and update them to the MD5 mechanism. The problem that we have though is that both crypt and md5 are hash and not encryption algorithms. The difference is that an encryption algorithm caters for storing information on how to decrypt the source, while the hash is not meant to be "reverse engineered" on purpose.

I really don't know the size of your site (users wise) but just a thought would be to tell everyone to change their passwords (and that would include only members that signed up before you changed to 6.1.1. This way the md5 mechanism will be invoked in the changebasic.php and all passwords would be in md5.

Sorry but that is as far as I could get with this....

Warm regards

Nikos

So this is where I think I stand:

- I can't use both AuthType Basic and AuthType Digest at the same time
- I can't re-hash all passwords in the database to md5

So my choices as i see them as of now are:

- Stop using .htaccess until all users changed their passwords and hope that all of them do by a given deadline.
- Hope for someone to provide instructions how to re-generate random passwords for all users and have them emailed to them.

Can anyone think of another solution?

Axel,

You can use the attached script to achieve what you need. First inform your users that all passwords will change on the XX day of the month and the new passwords will be emailed to them.

Second, download the passwordchange.php file (attached in this message), upload it to your server and login into your forum.

Run the script and you are there (put in the address bar http://blahblah.com/forum/passwordchange.php)!

The script will check if you are logged in first. Then it will query the database for all authorized users.

It will grab each user in turn and generate a new password for them (random). The new password will be encrypted, the database updated and then the user will be emailed with the new password.

Credits to Rick because he wrote most of this script (I got the general idea and some snippets from the adduser.php file).

Make sure you backup your database - at least the Users table before doing anything with this script

Now you will need to change a bit the query if you want to include/exclude some members and also alter the email text to whatever you want.

I hope this helps

Warm regards

Nikos

dimopoulos,

First off I'd like to thank you for the attached script. It did its job Thank you.

However, at this point I have run into another snag.
All passwords in the sql database are now freshly new and md5 hashed.

I added 2 lines to my apache conf file:

LoadModule digest_auth_module lib/apache/mod_auth_digest.so
AddModule mod_auth_digest.c

I changed my .htaccess file to:

AuthType Digest
AuthName "myrealm"
AuthDigestFile /path/to/password/file

<LIMIT GET POST>
require valid-user
</LIMIT>

However, the old per script posted above that creates the userfile doesnt create it in the right format:

It makes:
tgnb:eca0249f7bf2fb3515bd7e319f5c2ab5

With AuthType Digest, apache needs:
tgnb:myrealm:eca0249f7bf2fb3515bd7e319f5c2ab5

This of course causes this in the apache error log:

[Fri Dec 20 08:09:49 2002] [error] [client xxx.xxx.xxx.xxx] Digest: user `tgnb' in realm `myrealm' not found: /some/path

/some/path being the .htaccess protected part of the site

Even if I change the password file manually for testing, I still get this in my apache error log:

[Fri Dec 20 08:24:24 2002] [error] [client xxx.xxx.xxx.xxx] Digest: user tgnb: password mismatch: /some/path

I edited the perl script so it creates the password file in the right format.

At this point I am a bit lost not understanding why there would be a password mismatch.

the board uses md5
apache uses md5
apache finds the userfile
apache finds the realm in the userfile
but apache can't match the passwords in it

=====

While reading docs etc on how to do the Digest authentication I also came across something even more interesting

http://www.widexl.com/scripts/documentation/htaccess.html

Auth MySQL

I'd imagine if I got AuthMySQL to work I could skip the entire procedure of having to run an old perl script in a cron job to update a password file because apache would use the database to authenticate.

To set Auth MySQL up I have to put this in the .htaccess file:

Auth_MYSQLdatabase: This is your database with the member's info.
Auth_MYSQLpwd_table: The members info table containing (username/password).
Auth_MYSQLuid_field: The username field.
Auth_MYSQLpwd_field: The password field.
Auth_MYSQL_EncryptedPasswords: Are the password MySQL encrypt. [on|off].

So I have the following questions
What is the table containing username and password
What is the username field
What is the password field
And finally I guess I'll have to test if apache will accept the encrypted passwords.. hehe

Thanks for your time and support.

Axel

I am glad that the script helped.

The users table is w3t_users (unless you have a different prefix on your tables)

U_Username and U_Password are the username and password fields

Warm regards

Nikos

I have since my last post read the docs for mod_auth_mysql:

http://www.diegonet.com/support/mod_auth_mysql.shtml

Auth_MySQL_Encryption_Types:
[Plaintext, Crypt_DES, MySQL] dont seem to cover md5

Back to figuring out why I get a password mismatch when using the AuthType Digest method in apache. Any ideas? comments?

Thanks

Is mod_auth_digest.c the module that's doing the check and giving the mismatch message? If so, can you add some debug output to it to see what's going on, and remake the .so?

Ok, i did some more digging and found the following:

I can manually create a md5 password for apache using the htdigest command.
I can successfuly authenticate with this generated password.

So I know that my apache's digest authentication is working.

If I compare the md5 sum of the htdigest generated password to the md5 sum of the board generated password they don't match. Hence I get the mismatch error in my apache logs.

Does this mean there are different methods for creating a md5 sum for passwords?
Or better yet why does the board create a different md5 sum than htdigest command and what can i possibly do about it

Thanks for your help

I don't know exactly how htdigest encodes the passwords.

Does the approach you're using allow you to provide code for Apache to use in checking the password? If so, you could fetch the encoded password from the UBB.threads database and verify it with the PHP md5() function, just like threads.

An alternate solution would be to hook HTTP authentication into the UBB.threads script: HTTP authentication with PHP.

I'm really sorry Dave_L, but i'm not really sure I followed your question.

I run the script
the script pulls the md5 encoded passwords from the database and puts them in a password file
a line in this file reads something like this:

tgnb:securearea:e3bd5b471e68750a6633fc1404f6064g

htdigest command is an apache command line command to manually create a line in a password file such as the one above. However, if i use htdigest like this:

#htdigest /path/to/password/file securearea tgnb

I get a line in the password file that looks like this:

tgnb:securearea:ea28130d3a6a307b5cdef133d3289f7e

Both of these lines are md5 encoded, and both were created using the same password. The only difference is one was made by the board and extracted from sql and the other is created by htdigest.
The resulting md5 hash is different however.
Apache can recognize the md5 hash made by its own htdigest command but not the md5 hash created by the board (php?) for the same password.

I found this note in the man page for htpasswd: The MD5 algorithm used by htpasswd is specific to the Apache software; passwords encrypted using it will not be usable with other Web servers..

As I recall, I dug through the Apache source code a while ago trying to figure out how it did the MD5 stuff, and gave up.

I know you're using htdigest instead of htpasswd, but they might use the same method for computing the MD5 digest.

If that's the case, one solution would be to customize the relevant Apache modules so that they use the same MD5 calculation that UBB.threads does.

Another solution would be to add a "front-end" script or Apache module which uses the server environment variables, as described at the link I posted above, to prompt for the user's login name and password, and then validate them using the UBB.threads database. All visitors to your site would have to get through this front-end script, so it would have the desired result.

Well to be honest with you. these things you are suggesting are unfortunately a bit over my head.

Too bad, because I considered synched htaccess authentication a great security feature.

Hello!

Well I figured this out -- well, in my testing it works. First I will say that I really do not know PHP but I was in a panic to get this to work! <grin> The problem has something to do with the $salt that is used. So my new script changes that and creates a MD5 password which php/threads and apache both can understand. The only part I could not figure out is when a user requests a Temp password. In a short time fix (I hope someone here can help more on this) I am not using a "temp" password but changing the actual password and updating the database with it. I have my .htaccess password file updated ever 10 mins on the server using the perl script. I found some issues if the person does not change the Temp password when they login and .htaccess would have the old one.

Here is my code which replaces code there and the files which need to be changed. I know this code may not have the "right look" but hey..it works!


changebasic.php

// If this is a new password we need to encrypt it

if ($ChosenPassword != $Password) {
mt_srand((double)microtime()*1000000);
$charsz = array_merge(range('a','z'),range('A','Z'),range(0,9));
for($i=0;$i<2;$i++){
$salt .= $charsz[mt_rand(0,count($charsz)-1)];
}

$ChosenPassword = crypt($ChosenPassword,$salt);

}



start_page.php

// Now let's crypt the password

mt_srand((double)microtime()*1000000);
$charsz = array_merge(range('a','z'),range('A','Z'),range(0,9));
for($i=0;$i<2;$i++)
{
$salt .= $charsz[mt_rand(0,count($charsz)-1)];
}

$crypt = crypt($pass,$salt);


Next...
// Note my change is not to use a Temp password and to just replace the real password (U_Password)

// Now let's update the database
$Username_q = addslashes($Username);
$crypt_q = addslashes($crypt);
$query = "
UPDATE {$config['tbprefix']}Users
SET U_Password = '$crypt_q'
WHERE U_LoginName = '$Username_q'
";
$dbh -> do_query($query);


adduser.php


// Now let's crypt the password
mt_srand((double)microtime()*1000000);
$charsz = array_merge(range('a','z'),range('A','Z'),range(0,9));
for($i=0;$i<2;$i++)
{
$salt .= $charsz[mt_rand(0,count($charsz)-1)];
}

$crypt = crypt($pass,$salt);




..admin/dochangeuser.php

// If this is a new password we need to encrypt it
if ($ChosenPassword != $OldPass) {
mt_srand((double)microtime()*1000000);
$charsz = array_merge(range('a','z'),range('A','Z'),range(0,9));
for($i=0;$i<2;$i++)
{
$salt .= $charsz[mt_rand(0,count($charsz)-1)];
}

$ChosenPassword = crypt($ChosenPassword,$salt);
}







[]tgnb said:
Hi,

I have been using a perl script that was posted here a long time ago (w3t days) to synchronize a .htaccess password file with the passwords in the forum database.

After upgrading from 5.4.3 to 6.1.1 the script still works and creates the userfile.
However the password encryption has changed to md5 on ubbt. As new users are registered and old users change their passwords the database contains passwords encryped with the old and new methods.

Now the password file the script creates contains some passwords encrypted the old way, and some passwords encrypted with md5 the new way.

Since i used AuthType Basic in my .htaccess the newly md5 encrypted passwords are not recognized.

If I make the proper changes to use AuthType Digest is it backwards compatible to also accept the old style encrypted passwords? If that is not possible. Is there a way i can tell the database to re-encrypt everyones current passwords with md5? so i can exclusively use AuthType Digest.

Thanks


[/]