Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 27347 - apache/apache2/apache 2.0.47: http basic authentication auth: sha1/sha-1 password hashing doesn't work, md5 password hashing works
Summary: apache/apache2/apache 2.0.47: http basic authentication auth: sha1/sha-1 pass...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Apache Team - Bugzilla Reports
Depends on:
Reported: 2003-08-26 02:53 UTC by Daniel Mettler
Modified: 2004-04-04 09:38 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Mettler 2003-08-26 02:53:04 UTC
i just experienced a weird problem with my apache 2.0.47 installation: http
basic auth using md5 hashed passwords works fine, but http basic auth using sha1
hashed passwords (htpasswd2 -cs htpasswd mylogin) doesn't work at all. the
apache2 error_log at "loglevel debug" is not specific and wrong (the submitted
user credentials were correct):

[Tue Aug 26 08:40:21 2003] [error] [client] user bla:
authentication failure for "/test": Password Mismatch

Server version: Apache/2.0.47
Server built:   Aug 22 2003 21:33:23

i've tried to track down the problem with the help of #apache @freenode, but all
we found out was that apparently md5 hashes work but sha1 don't.

both worked fine with my previous apache 1.3.x (gentoo)

Reproducible: Always
Steps to Reproduce:
1. emerge apache 2.0.47
2. setup apache and config a dir to use basic auth (.htaccess)
3. create a new htpasswd file using sha1 hashes: htpasswd2 -cs htpasswd mylogin
4. test it using "loglevel debug"
5. compare the whole thing to using md5 hashes instead

Actual Results:  
if using sha1 hashes: access denied
if using md5 hashes: works fine

Expected Results:  
if using sha1 hashes: works fine
if using md5 hashes: works fine

i don't really use any special setup/hw, just an i586 box

i don't know whether this bug only affects my box. however i followed all
standard gentoo procedures when emerging and configuring apache 2.0.47.

i set this bug to critical as it prevents previous htpasswd files from working,
resulting in big annoyance as an admin is usually not supposed to know those
passwords. thus he can't regenerate the htpasswd file using md5 hashed pwds
(which is a work-around)
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-01-17 03:56:00 UTC
please repeat the tests with 2.0.48-r1/2 and include your emerge info output and openssl version if the problem still occurs.
Comment 2 Chuck Short (RETIRED) gentoo-dev 2004-04-03 18:07:09 UTC

Do you have an update on this bug?

Comment 3 Daniel Mettler 2004-04-04 08:32:00 UTC
i've checked it again on my current system, and yes, the phenomenon is still there. some details of my emerge info:

Portage 2.0.50-r1 (default-x86-1.4, gcc-3.3.2, glibc-2.3.2-r9, 2.6.4)
System uname: 2.6.4 i686 VIA Samuel 2
Gentoo Base System version
ccache version 2.3 [enabled]
Autoconf: sys-devel/autoconf-2.58-r1
Automake: sys-devel/automake-1.7.7
CFLAGS="-march=c3 -mcpu=c3 -m3dnow -fomit-frame-pointer -mmmx -O3 -pipe"
(btw: the bug also appeared with very conservative cflag settings)
CXXFLAGS="-march=c3 -mcpu=c3 -m3dnow -fomit-frame-pointer -mmmx -O3 -pipe"
USE="apache2 apm arts avi berkdb crypt cups curl encode foomaticdb gdbm gif gpm gtk2 imlib java jpeg libg++ libwww mad maildir mikmod motif mpeg mysql ncurses nls oggvorbis opengl oss pam pdflib perl png python quicktime readline sdl slang spell ssl svga tcpd tetex truetype x86 xml2 xmms xv zlib"

openssl version: OpenSSL 0.9.7d 17 Mar 2004

the thing about the apache2 error log not being specific enough to determine the reason of this behavior still applies.

however, as no other gentoo user has confirmed this behavior so far, i suggest to close this bug report.
Comment 4 Chuck Short (RETIRED) gentoo-dev 2004-04-04 09:38:48 UTC
Closing bug.