1 <?xml version=
"1.0" encoding=
"ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns=
"http://www.w3.org/1999/xhtml" lang=
"en" xml:
lang=
"en"><head><!--
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8 <title>Password Formats - Apache HTTP Server
</title>
9 <link href=
"../style/css/manual.css" rel=
"stylesheet" media=
"all" type=
"text/css" title=
"Main stylesheet" />
10 <link href=
"../style/css/manual-loose-100pc.css" rel=
"alternate stylesheet" media=
"all" type=
"text/css" title=
"No Sidebar - Default font size" />
11 <link href=
"../style/css/manual-print.css" rel=
"stylesheet" media=
"print" type=
"text/css" />
12 <link href=
"../images/favicon.ico" rel=
"shortcut icon" /></head>
13 <body id=
"manual-page"><div id=
"page-header">
14 <p class=
"menu"><a href=
"../mod/">Modules
</a> |
<a href=
"../mod/directives.html">Directives
</a> |
<a href=
"../faq/">FAQ
</a> |
<a href=
"../glossary.html">Glossary
</a> |
<a href=
"../sitemap.html">Sitemap
</a></p>
15 <p class=
"apache">Apache HTTP Server Version
2.3</p>
16 <img alt=
"" src=
"../images/feather.gif" /></div>
17 <div class=
"up"><a href=
"./"><img title=
"<-" alt=
"<-" src=
"../images/left.gif" /></a></div>
19 <a href=
"http://www.apache.org/">Apache
</a> > <a href=
"http://httpd.apache.org/">HTTP Server
</a> > <a href=
"http://httpd.apache.org/docs/">Documentation
</a> > <a href=
"../">Version
2.3</a> > <a href=
"./">Miscellaneous Documentation
</a></div><div id=
"page-content"><div id=
"preamble"><h1>Password Formats
</h1>
21 <p><span>Available Languages:
</span><a href=
"../en/misc/password_encryptions.html" title=
"English"> en
</a></p>
24 <p>Notes about the password encryption formats generated and understood by
27 <div id=
"quickview"><ul id=
"toc"><li><img alt=
"" src=
"../images/down.gif" /> <a href=
"#basic">Basic Authentication
</a></li>
28 <li><img alt=
"" src=
"../images/down.gif" /> <a href=
"#digest">Digest Authentication
</a></li>
30 <div class=
"top"><a href=
"#page-header"><img alt=
"top" src=
"../images/up.gif" /></a></div>
32 <h2><a name=
"basic" id=
"basic">Basic Authentication
</a></h2>
34 <p>There are four formats that Apache recognizes for basic-authentication
35 passwords. Note that not all formats work on every platform:
</p>
38 <dt>PLAIN TEXT (i.e.
<em>unencrypted
</em>)
</dt>
39 <dd>Windows, BEOS,
& Netware only.
</dd>
42 <dd>Unix only. Uses the traditional Unix
<code>crypt(
3)
</code> function
43 with a randomly-generated
32-bit salt (only
12 bits used) and the first
8
44 characters of the password.
</dd>
47 <dd>"{SHA}" + Base64-encoded SHA-
1 digest of the password.
</dd>
50 <dd>"$apr1$" + the result of an Apache-specific algorithm using an
51 iterated (
1,
000 times) MD5 digest of various combinations of a
52 random
32-bit salt and the password. See the APR source file
53 <a href=
"http://svn.apache.org/viewvc/apr/apr-util/trunk/crypto/apr_md5.c?view=markup">apr_md5.c
</a>
54 for the details of the algorithm.
</dd>
57 <h3>Generating values with htpasswd
</h3>
59 <div class=
"example"><h3>MD5
</h3><p><code>
60 $ htpasswd -nbm myName myPassword
<br />
61 myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
64 <div class=
"example"><h3>SHA1
</h3><p><code>
65 $ htpasswd -nbs myName myPassword
<br />
66 myName:{SHA}VBPuJHI7uixaa6LQGWx4s+
5GKNE=
69 <div class=
"example"><h3>CRYPT
</h3><p><code>
70 $ htpasswd -nbd myName myPassword
<br />
76 <h3>Generating CRYPT and MD5 values with the OpenSSL
77 command-line program
</h3>
80 <p>OpenSSL knows the Apache-specific MD5 algorithm.
</p>
82 <div class=
"example"><h3>MD5
</h3><p><code>
83 $ openssl passwd -apr1 myPassword
<br />
84 $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
87 <div class=
"example"><h3>CRYPT
</h3><p><code>
88 openssl passwd -crypt myPassword
<br />
93 <h3>Validating CRYPT or MD5 passwords with the OpenSSL command
96 <p>The salt for a CRYPT password is the first two characters (converted to
97 a binary value). To validate
<code>myPassword
</code> against
98 <code>rqXexS6ZhobKA
</code></p>
100 <div class=
"example"><h3>CRYPT
</h3><p><code>
101 $ openssl passwd -crypt -salt rq myPassword
<br />
102 Warning: truncating password to
8 characters
<br />
106 <p>Note that using
<code>myPasswo
</code> instead of
107 <code>myPassword
</code> will produce the same result because only the
108 first
8 characters of CRYPT passwords are considered.
</p>
110 <p>The salt for an MD5 password is between
<code>$apr1$
</code> and the
111 following
<code>$
</code> (as a Base64-encoded binary value - max
8 chars).
112 To validate
<code>myPassword
</code> against
113 <code>$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
</code></p>
115 <div class=
"example"><h3>MD5
</h3><p><code>
116 $ openssl passwd -apr1 -salt r31..... myPassword
<br />
117 $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
121 <h3>Database password fields for mod_dbd
</h3>
122 <p>The SHA1 variant is probably the most useful format for DBD
123 authentication. Since the SHA1 and Base64 functions are commonly
124 available, other software can populate a database with encrypted passwords
125 that are usable by Apache basic authentication.
</p>
127 <p>To create Apache SHA1-variant basic-authentication passwords in various
130 <div class=
"example"><h3>PHP
</h3><p><code>
131 '{SHA}' . base64_encode(sha1($password, TRUE))
134 <div class=
"example"><h3>Java
</h3><p><code>
135 "{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance(
"SHA1").digest(password.getBytes()))
138 <div class=
"example"><h3>ColdFusion
</h3><p><code>
139 "{SHA}" & ToBase64(BinaryDecode(Hash(password,
"SHA1"),
"Hex"))
142 <div class=
"example"><h3>Ruby
</h3><p><code>
143 require 'digest/sha1'
<br />
144 require 'base64'
<br />
145 '{SHA}' + Base64.encode64(Digest::SHA1.digest(password))
148 <div class=
"example"><h3>C or C++
</h3><p><code>
149 Use the APR function: apr_sha1_base64
152 <div class=
"example"><h3>PostgreSQL (with the contrib/pgcrypto functions
153 installed)
</h3><p><code>
155 '{SHA}'||encode(digest(password,'sha1'),'base64')
159 </div><div class=
"top"><a href=
"#page-header"><img alt=
"top" src=
"../images/up.gif" /></a></div>
160 <div class=
"section">
161 <h2><a name=
"digest" id=
"digest">Digest Authentication
</a></h2>
162 <p>Apache recognizes one format for
163 digest-authentication passwords - the MD5 hash of the string
164 <code>user:realm:password
</code> as a
32-character string of hexadecimal
165 digits.
<code>realm
</code> is the Authorization Realm argument to the
166 <code class=
"directive"><a href=
"../mod/mod_authn_core.html#authname">AuthName
</a></code> directive in
169 <h3>Database password fields for mod_dbd
</h3>
171 <p>Since the MD5 function is commonly available, other software can
172 populate a database with encrypted passwords that are usable by Apache
173 digest authentication.
</p>
175 <p>To create Apache digest-authentication passwords in various
178 <div class=
"example"><h3>PHP
</h3><p><code>
179 md5($user . ':' . $realm . ':' .$password)
182 <div class=
"example"><h3>Java
</h3><p><code>
183 byte b[] = java.security.MessageDigest.getInstance(
"MD5").digest( (user +
":" + realm +
":" + password ).getBytes());
<br />
184 java.math.BigInteger bi = new java.math.BigInteger(
1, b);
<br />
185 String s = bi.toString(
16);
<br />
186 while (s.length()
< 32)
<br />
187 <span class=
"indent">
190 // String s is the encrypted password
193 <div class=
"example"><h3>ColdFusion
</h3><p><code>
194 LCase(Hash( (user
& ":" & realm
& ":" & password) ,
"MD5"))
197 <div class=
"example"><h3>Ruby
</h3><p><code>
198 require 'digest/md5'
<br />
199 Digest::MD5.hexdigest(user + ':' + realm + ':' + password)
202 <div class=
"example"><h3>PostgreSQL (with the contrib/pgcrypto functions installed)
</h3><p><code>
204 encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex')
209 <div class=
"bottomlang">
210 <p><span>Available Languages:
</span><a href=
"../en/misc/password_encryptions.html" title=
"English"> en
</a></p>
211 </div><div id=
"footer">
212 <p class=
"apache">Copyright
2009 The Apache Software Foundation.
<br />Licensed under the
<a href=
"http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version
2.0</a>.
</p>
213 <p class=
"menu"><a href=
"../mod/">Modules
</a> |
<a href=
"../mod/directives.html">Directives
</a> |
<a href=
"../faq/">FAQ
</a> |
<a href=
"../glossary.html">Glossary
</a> |
<a href=
"../sitemap.html">Sitemap
</a></p></div>