www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pascal Oiry <o...@fr.ibm.com>
Subject mod_auth-any/4823: crypt() unavailable on Win32 during Authentification process
Date Thu, 05 Aug 1999 14:01:02 GMT

>Number:         4823
>Category:       mod_auth-any
>Synopsis:       crypt() unavailable on Win32 during Authentification process
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Aug  5 07:10:00 PDT 1999
>Last-Modified:
>Originator:     oiry@fr.ibm.com
>Organization:
apache
>Release:        1.3.6 (WIN32)
>Environment:
OS : Windows95 - OSR2
Apache : binary file release 1.3.6 issued from Apache Org. servers
>Description:
After configuring Apache in a windows95 environment for supporting user authentification
a "authorization failed" pop up box is displayed when required.

The error logged is :
"...user user_name: authentication failure for "/cgi-bin/admin/CGI_FILE.CMD": crypt() unavailable
on Win32, cannot validate password"
For your information I am currently running some REX cgi programs (e.g. .CMD files)

I also understand we cannot have the same password encryption as in a Unix environment. I
read in the Laurie's "Apache, the definitive guide"
book that it should be possible to have a password stored in the file named by
the AuthUserFile directive with the following format:
user_name:non_encrypted_password.

Even if this is not secure, it should be suitable that the server could at least compare the
provided password with the stored password.

I did read some peace of Apache code (unfortunately from release 1.6.3) and I saw in the module/standard/mod_auth.c
file:

  /* anyone know where the prototype for crypt is? */
    if (strcmp(real_pw, (char *) crypt(sent_pw, real_pw))) {
	ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
		    "user %s: password mismatch: %s", c->user, r->uri);
	ap_note_basic_auth_failure(r);
	return AUTH_REQUIRED;
    }

The fact seems to be that the crypt() function is not available in a windows environment.
Is there any way to bypass that problem? 
Thank you so much for your help,

Regards,
Pascal Oiry
oiry@fr.ibm.com
>How-To-Repeat:
To reproduce the problem just add authentification directives in the httpd.conf file
in a windows95 environment and try to reach a password protected document.
>Fix:
To fix it it could be great to have a crypt() function provided either in the mod_auth.c
file (with plateform dependant flag) or in an additionnal DLL module.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <apbugs@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]




Mime
View raw message