Perl and Apache Configuration Files

newrisedesigns has asked for the wisdom of the Perl Monks concerning the following question:

Hi all,

After attempting to work on a CGI program that would allow me to set .htaccess and .htpasswd files remotely through a secure form, I hit a snag.

Writing the .htaccess files were no problem, however, I was a bit stuck when it came to .htpasswd.

.htpasswd files are in username:password format, with the first two letters of the password being the salt that you would use in Perl's crypt function. When htpasswd generates a file, however, it seems that the salt is random.

I tried using HTTPD::UserAgent (found out about it here), but it's not installed on this server, and I don't have the ability to install it (I don't even have telnet/SSH access :( just FTP.)

If the .htpasswd files do use a random salt, would it be worthwhile to have perl generate the .htpasswd file or should (if it's possible) I pass the information to htpasswd through a pipe (last resort)?

Thanks in advance for your help.

Comment on Perl and Apache Configuration Files

Replies are listed 'Best First'.
Re: Perl and Apache Configuration Files by arhuman (Vicar) on Jan 07, 2002 at 18:53 UTC
Super Search brings a lot of results on this topic, one including a pointer to HTTPD::UserManage, which seems a good solution to my mind. UPDATE : Another solution could be Apache::Htpasswd "Only Bad Coders Code Badly In Perl" (OBC2BIP)	[reply]
Re: Re: Perl and Apache Configuration Files by newrisedesigns (Curate) on Jan 07, 2002 at 20:51 UTC
Thanks for the link to the Apache CPAN link. I just attempted to "use" the module in my program, and it returns a 500 error. I'm going take another look around to see if I can find something else. I also attempted using a standard string as a salt, and the server doesn't recognize the password (but does acknowledge the generated .htaccess and the .htpasswd file).	[reply]
Re: Debugging errors the easy way. by BazB (Priest) on Jan 07, 2002 at 21:29 UTC
If you aren't all ready, Use strict warnings and diagnostics or die. Also look at CGI::Carp Following tachyon's advice should give you more of a clue why you're getting an error, rather than just getting a "500 - Server error".	[reply]
Re: Debugging errors the easy way. by newrisedesigns (Curate) on Jan 07, 2002 at 21:50 UTC
Re: Perl and Apache Configuration Files by rob_au (Abbot) on Jan 08, 2002 at 04:01 UTC
Just to throw my two bits into the ring, the following is a piece of code that I have used for just what you ask, generating username and password entries for htpasswd files - I think I lifted this code originally from the first edition of Learning Perl. `#!/usr/bin/perl -Tw use strict; @salt = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '.', '/'); my ($username, $password) = @ARGV; my $now = time; my ($pert1, $pert2) = unpack("C2", $username); my $salt = $salt[($now / 604800 + $pert1 + $pert2) % 64] . $salt[$now +% 64]; $password = crypt($password, $salt); print STDOUT "$username:$password\n"; exit 0;` [download] The salt for encryption in this case is based upon the first two characters of the username and the current system time. `perl -e 's&&rob@cowsnet.com.au&&&split/[@.]/&&s&.com.&_&&&print'`	[reply] [d/l]
Re: Perl and Apache Configuration Files by Anonymous Monk on Jan 08, 2002 at 00:38 UTC
Salts are usually supposed change. They're not so much random as calculated by a formula which will be different everytime (which is the whole idea behind a salt), and different things that use crypt use thier own formula. As far as I know it really shouldn't matter what salt you use when you create a password though, because when decrypting the passwords it uses those first two letters as the salt to decrypt with. I don't know much about the htpasswd file, but I know most Unix systems use the current time as a salt. Here is an example: $salt = substr ( time () , -8 ); I just wrote a passwd generating program on Solaris 2.6 using this salt, which works fine. If the password won't take, perhaps you're using the wrong encryption for htpasswd.	[reply]
Re: Perl and Apache Configuration Files by newrisedesigns (Curate) on Jan 08, 2002 at 19:20 UTC
Thanks for the info concerning salt. Very helpful. I understood from before that the salt was inbedded within the password itself, as the first two characters of the password. It shouldn't matter what the salt is, cause any person or program can find out what it is through the first two characters. Yet my passwords are still not being recognized. The browser prompts the user for the password, but nothing seems to work. Documentation on Apache's web site doesn't cover manipulation of .htpasswd files at all, other than generating them with the htpasswd program. Thanks for all your help, but this project is going to have to go on the back burner for awhile... there's other CGI programs to be written! John J Reiser newrisedesigns.com	[reply]