Apache Authentication Headache

[onlyican]

Hey people.

 

I got a new client who has there site run with Apache Authentication.

 

It is my job to test everything is working.

 

Problems.

 

I have the website with several folders

 

In the folder "Members" I have 2 Apache files

htaccess

htpasswd

 

Htaccess contains the following

AuthUserFile /www/SiteName/members/.htpasswd
AuthType Basic
AuthName "My Private Area"

require valid-user

 

I will be moving the location of htpasswd at a later date.

 

In htpasswd I have a long list of Usernames and encrypted passwords

such as

 

test:192ba5b8X6Fiw:Test:test

"192ba5b8X6Fiw" Should be "test"

 

I go to log in, I have to log in with the following information

Username: test

Password: 192ba5b8X6Fiw

I should be logging in with password "Test"

 

I have another folder, called "securearea"

Inside this folder, there is no htaccess file, but there is a htpasswd file.

Again information stored as

test:192ba5b8X6Fiw

So the password is encrypted

This time, I go to log in, I use

Username: test

Password: test

 

NOT 192ba5b8X6Fiw, So how come this is working here but not in the other folder.

How come this is working without a htaccess file?

 

Any articles or anything to help me understand, I would be grateful.

[uhmcastillo]

Ok, first off, this:

test:192ba5b8X6Fiw:Test:test

 

Shouldn't work.  If it is, well then that's news to me, because I was under the assumption that the passwd file was formatted:

 

username:password

 

I think that may be why it's not working...

 

[onlyican]

it is working

 

 

Username:Password:Name:Email

Username:Password:Name:Email

Username:Password:Name:Email

 

How it works from what I understand

Split the line at :

Then Section 0 and 1 (Username and Password) are used

Doesn't matter if there is only 1 colon, or 100.

 

 

I managed to add a user using there admin system, but the encrypted password is totally wrong

I think it is to do with my set up of htpasswd.exe

 

[uhmcastillo]

Ah, so it ignored everything after the second colon... That's good to know!

 

So when you type the encrypted string, it lets you in?  Odd....

 

How did you create these .htpasswd files?

[onlyican]

The htpasswd files have already been created.

 

I type in the encrtpyed form of the password and it works for one directory

Type in the correct password and it don't

 

It may be to do with the fact that Name and Email is being stored in the string as well

 

[uhmcastillo]

If you modify the file and remove the last two fields, does it work?

 

[steviewdr]

It was a pure fluke that typing in the htpasswd hash let you in. Probably because you had the name and email there also.

 

YOU CANNOT TYPE IN THE HTPASSWD HASH INTO A PASSWORD BOX.

You need the ACTUAL password.

 

NO - you cannot decode the HASH. Its a one way hash.

You will NOT be able to test the passwords unless you actually have the passwords.

 

-steve

[onlyican]

Sorry for the delay, got side tracked with another 4 support jobs.

 

I have edited things and it is still the same.

 

.htaccess file

AuthUserFile /www/SiteName/members/.htpasswd
AuthType Basic
AuthName "My Private Area"

require valid-user

 

I know that the htpasswd file should not be in the website directory, but I did not build this, I am just trying to understand it.

 

.htpasswd file

MyTest:192ba5b8X6Fiw:Jamie:email@me.com

 

192ba5b8X6Fiw is hash for "test"

 

I also tried htpasswd as

MyTest:192ba5b8X6Fiw

 

Both of these, the results are the same.

 

I go to log in

Username: MyTest

Password: test

FAILS

 

username: MyTest

password: 192ba5b8X6Fiw

WORKS