Securing Your Web Pages with Apache Page 11
htpasswd application is used to create and maintain
text-based authentication databases for use with the
module. It gets the username and options from the command line, prompts
for and reads the password from standard input (twice, for verification),
and stores the username and the encrypted password in the
specified text file. When the Apache server receives credentials to
verify, it encrypts the submitted password using the same algorithm
as the stored password, and then compares the results -- so the
actual plaintext password doesn't live in a file on your system.
The syntax of the
htpasswd command is:
htpasswd [options] pwfile username [password]
htpasswd can encrypt the passwords using a variety of
algorithms, indicated by the algorithm flag on the command line:
- Causes the password to be encrypted using an Apache-specific
modified MD5 hash algorithm. Although no other application can
understand passwords encrypted this way, they work on all
Apache systems running 1.3.9 or later, and so you can transport
.htpasswdfile from Linux to AIX to Solaris to Windows and have it work in each place without any changes. This is the default algorithm for the Windows and TPF platforms.
- Use the system's
crypt()library routine to encrypt the password. This means that the encrypted passwords will be as safe as those in the system's user file -- but they're probably not transportable to any other system.
- This will cause the password to be encrypted using the SHA
algorithm, which is used by Netscape servers. This is useful when
migrating from one server to the other.
-pflag means 'plaintext -- don't encrypt the password at all.' This was added because of a problem in Apache 1.3.6 on Windows, which prevented MD5-encrypted passwords (the only other type supported on Windows by that version) from being correctly recognised. Don't use this option unless you're working with a password file for Apache 1.3.6 on Windows. Even then the vastly preferred remedy is to upgrade to a more recent version; 1.3.6 is from early 1999.
The encryption algorithm used is particular to each entry in the file, so it's entirely possible for a file to contain passwords encrypted in different ways.
htpasswd tool understands two other flags,
which control other aspects than encryption:
- Get the password from the command line rather than reading it from
stdin. This flag is primarily intended to help Windows Webmasters, but it's useful on other platforms as well, as it allows script-based password management in a non-interactive environment (such as allowing a user to change is password with a CGI script). However, since the password appears in plaintext on the command line, it might be visible to another user in the output of a
pscommand, and there's no verification that it was spelt correctly. Use this option with caution.
- By default,
htpasswdassumes that the
pwfileauthentication database file already exists, and will update it. To create a new one, or completely overwrite an existing one, add the
-cflag to the command line.