httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Johnson <>
Subject Re: [users@httpd] Does Apache htpasswd using md5 match the PHP md5 function result?
Date Thu, 02 May 2013 18:19:03 GMT

On 5/2/2013 1:50 PM, Bo Berglund wrote:
> I am trying to understand the use of MD5 as passwords for Apache,
> previously I have always used CRYPT:ed passwords in my .htpasswd file.
> Because Apache on Windows does not allow CRYPT:ed passwords (see
> earlier thread) I am investigating the MD5 possibility.
> The problem I have is that I need to let my code generate the hashes
> written to the .htpasswd file in such a way that Apache will be OK
> with them.
> When reading the PHP documentation I find that the output of the md5()
> function is a 32 byte hex string.
> But the hash generated by the Apache htpasswd command on Windows
> produces hashes like this:
> $apr1$44sXxXbW$ZUtMUVZGDp1wSR6dEFguq0
> As you can see this is clearly NOT a hex string at all!!!
> So is it possible with PHP to generate the .htpasswd file in a format
> that comlies with what Apache needs?
> And can PHP check if a password hash matches the user supplied
> password after it has been hashed using MD5?

Hi again, Bo,

Yes, it is possible for PHP to generate the .htpasswd file by calling a
standalone binary directly (e.g., with proc_open() or other functions in
the same family).

Likewise, PHP can validate the hash using the same method.

>From the manual page that I cited in a previous response ( ):

"$apr1$" + the result of an Apache-specific algorithm using an iterated
(1,000 times) MD5 digest of various combinations of a random 32-bit salt
and the password. See the APR source file apr_md5.c for the details of
the algorithm.


Generating values with htpasswd


$ htpasswd -nbm myName myPassword


Generating CRYPT and MD5 values with the OpenSSL command-line program

OpenSSL knows the Apache-specific MD5 algorithm.


$ openssl passwd -apr1 myPassword


Validating CRYPT or MD5 passwords with the OpenSSL command line program

The salt for an MD5 password is between $apr1$ and the following $ (as a
Base64-encoded binary value - max 8 chars). To validate myPassword
against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/


$ openssl passwd -apr1 -salt r31..... myPassword


So, at a minimum, it seems that you should be able to generate
Apache-readable hashes using the either the Apache-provided utility
binary, htpasswd, or the "openssl" binary. Given that openssl is
available for most (or all) platforms, including Windows, one of the two
should be sufficient.

I grabbed openSSL from .

Trying htpasswd first:

Generate password:

htpasswd -nbm myName myPassword

Validate password:

openssl passwd -apr1 -salt QF/F.cm5 myPassword

(the hashes match; the password is valid)

Trying openssl next:

openssl passwd -apr1 myPassword

openssl passwd -apr1 -salt f/X4Z7kl myPassword

(the hashes match; the password is valid)

This should be everything you need.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message