www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pascal Oiry <o...@fr.ibm.com>
Subject mod_auth-any/4823: crypt() unavailable on Win32 during Authentification process
Date Thu, 05 Aug 1999 14:01:02 GMT

>Number:         4823
>Category:       mod_auth-any
>Synopsis:       crypt() unavailable on Win32 during Authentification process
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Aug  5 07:10:00 PDT 1999
>Originator:     oiry@fr.ibm.com
>Release:        1.3.6 (WIN32)
OS : Windows95 - OSR2
Apache : binary file release 1.3.6 issued from Apache Org. servers
After configuring Apache in a windows95 environment for supporting user authentification
a "authorization failed" pop up box is displayed when required.

The error logged is :
"...user user_name: authentication failure for "/cgi-bin/admin/CGI_FILE.CMD": crypt() unavailable
on Win32, cannot validate password"
For your information I am currently running some REX cgi programs (e.g. .CMD files)

I also understand we cannot have the same password encryption as in a Unix environment. I
read in the Laurie's "Apache, the definitive guide"
book that it should be possible to have a password stored in the file named by
the AuthUserFile directive with the following format:

Even if this is not secure, it should be suitable that the server could at least compare the
provided password with the stored password.

I did read some peace of Apache code (unfortunately from release 1.6.3) and I saw in the module/standard/mod_auth.c

  /* anyone know where the prototype for crypt is? */
    if (strcmp(real_pw, (char *) crypt(sent_pw, real_pw))) {
		    "user %s: password mismatch: %s", c->user, r->uri);

The fact seems to be that the crypt() function is not available in a windows environment.
Is there any way to bypass that problem? 
Thank you so much for your help,

Pascal Oiry
To reproduce the problem just add authentification directives in the httpd.conf file
in a windows95 environment and try to reach a password protected document.
To fix it it could be great to have a crypt() function provided either in the mod_auth.c
file (with plateform dependant flag) or in an additionnal DLL module.
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]

View raw message