Apache HTTP Server Version 2.2
This document refers to the 2.2 version of Apache httpd, which is no longer maintained. The active release is documented here. If you have not already upgraded, please follow this link for more information.
You may follow this link to go to the current version of this document.
Available Languages: en
Notes about the password encryption formats generated and understood by Apache.
There are four formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform:
crypt(3)
function
with a randomly-generated 32-bit salt (only 12 bits used) and the first 8
characters of the password.
$ htpasswd -nbm myName myPassword
myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
$ htpasswd -nbs myName myPassword
myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=
$ htpasswd -nbd myName myPassword
myName:rqXexS6ZhobKA
OpenSSL knows the Apache-specific MD5 algorithm.
$ openssl passwd -apr1 myPassword
$apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0
openssl passwd -crypt myPassword
qQ5vTYO3c8dsU
The salt for a CRYPT password is the first two characters (converted to
a binary value). To validate myPassword
against
rqXexS6ZhobKA
$ openssl passwd -crypt -salt rq myPassword
Warning: truncating password to 8 characters
rqXexS6ZhobKA
Note that using myPasswo
instead of
myPassword
will produce the same result because only the
first 8 characters of CRYPT passwords are considered.
The salt for an MD5 password is between $apr1$
and the
following $
(as a Base64-encoded binary value - max 8 chars).
To validate myPassword
against
$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
$ openssl passwd -apr1 -salt r31..... myPassword
$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1 and Base64 functions are commonly available, other software can populate a database with encrypted passwords that are usable by Apache basic authentication.
To create Apache SHA1-variant basic-authentication passwords in various languages:
'{SHA}' . base64_encode(sha1($password, TRUE))
"{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes()))
"{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex"))
require 'digest/sha1'
require 'base64'
'{SHA}' + Base64.encode64(Digest::SHA1.digest(password))
Use the APR function: apr_sha1_base64
'{SHA}'||encode(digest(password,'sha1'),'base64')
Apache recognizes one format for
digest-authentication passwords - the MD5 hash of the string
user:realm:password
as a 32-character string of hexadecimal
digits. realm
is the Authorization Realm argument to the
AuthName
directive in
httpd.conf.
Since the MD5 function is commonly available, other software can populate a database with encrypted passwords that are usable by Apache digest authentication.
To create Apache digest-authentication passwords in various languages:
md5($user . ':' . $realm . ':' .$password)
byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());
java.math.BigInteger bi = new java.math.BigInteger(1, b);
String s = bi.toString(16);
while (s.length() < 32)
s = "0" + s;
// String s is the encrypted password
LCase(Hash( (user & ":" & realm & ":" & password) , "MD5"))
require 'digest/md5'
Digest::MD5.hexdigest(user + ':' + realm + ':' + password)
encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex')
Available Languages: en