Securing Your Web Pages with Apache Page 11

The htpasswd application is used to create and maintain
text-based authentication databases for use with the mod_auth
module. It gets the username and options from the command line, prompts
for and reads the password from standard input (twice, for verification),
and stores the username and the encrypted password in the
specified text file. When the Apache server receives credentials to
verify, it encrypts the submitted password using the same algorithm
as the stored password, and then compares the results — so the
actual plaintext password doesn’t live in a file on your system.

The syntax of the htpasswd command is:

    htpasswd [options] pwfile username [password]
  

htpasswd can encrypt the passwords using a variety of
algorithms, indicated by the algorithm flag on the command line:

-m

Causes the password to be encrypted using an Apache-specific
modified MD5 hash algorithm. Although no other application can
understand passwords encrypted this way, they work on all
Apache systems running 1.3.9 or later, and so you can transport
your .htpasswd file from Linux to AIX to Solaris to
Windows and have it work in each place without any changes. This
is the default algorithm for the Windows and TPF platforms.

-d

Use the system’s crypt() library routine to
encrypt the password. This means that the encrypted passwords
will be as safe as those in the system’s user file — but they’re
probably not transportable to any other system.

-s

This will cause the password to be encrypted using the SHA
algorithm, which is used by Netscape servers. This is useful when
migrating from one server to the other.

-p

The -p flag means ‘plaintext — don’t encrypt the
password at all.’ This was added because of a problem in
Apache 1.3.6 on Windows, which prevented MD5-encrypted passwords
(the only other type supported on Windows by that version) from
being correctly recognised. Don’t use this option unless
you’re working with a password file for Apache 1.3.6 on Windows.
Even then the vastly preferred remedy is to upgrade to a more
recent version; 1.3.6 is from early 1999.

The encryption algorithm used is particular to each entry in the
file, so it’s entirely possible for a file to contain passwords
encrypted in different ways.

The htpasswd tool understands two other flags,
which control other aspects than encryption:

-b

Get the password from the command line rather than reading it from
stdin. This flag is primarily intended to help Windows
Webmasters, but it’s useful on other platforms as well, as it allows
script-based password management in a non-interactive environment
(such as allowing a user to change is password with a CGI script).
However, since the password appears in plaintext on the command
line, it might be visible to another user in the output of a
ps command, and there’s no verification that it
was spelt correctly. Use this option with caution.

-c

By default, htpasswd assumes that the
pwfile authentication database file already
exists, and will update it. To create a new one, or completely
overwrite an existing one, add the -c flag to the
command line.