Apparently, it's currently not possible to use HTTP auth with lighttpd using bcrypt hashed passwords. This seems to be a Gentoo-specific issue, as the very same setup works fine on one of my servers running Ubuntu 20.04 (so I suppose lighttpd can handle bcrypt hashed passwords): Using lighttpd 1.4.59-r1, when I create a password-protected directory like so: $HTTP["url"] =~ "^/test/" { auth.backend = "htpasswd" auth.backend.htpasswd.userfile = "/etc/lighttpd/test.htpasswd" auth.require = ( "" => ( "method" => "basic", "realm" => "test login", "require" => "valid-user" ) ) } and create a password file using htpasswd with the default MD5 hashing: htpasswd /etc/lighttpd/test.htpasswd test the password file looks like this (both the user and the password are "test"): test:$apr1$CTkRN1VJ$HbhH2TJ72oRWKBabGumT21 Opening the /test/ directory makes my browser ask for user name and pasword, as expected, and user "test" works with password "test". When I use bcrypt to hash the password via htpasswd -B /etc/lighttpd/test.htpasswd test however, the result is test:$2y$05$YE/nvftdEeywb/wrZJm3nOQRha2XMndWSn/H.YeYsSDgCnCrC0Mh. but logging in doesn't work anymore. The error.log says: 2021-10-27 16:54:13: mod_auth.c.828) password doesn't match for /test/ username: test IP: 192.168.178.21 After updating the password to the (default) MD5 hashing, I can login again.
x-ref with lighttpd upstream: https://redmine.lighttpd.net/boards/2/topics/10126 lighttpd works with bcrypt'd passwords on current Ubuntu and Fedora.
https://wiki.gentoo.org/wiki/Project:Toolchain/libcrypt_implementation The migration to sys-libs/libxcrypt will add blowfish crypt support to libcrypt
Well, then it's obvious why this doesn't work at the moment. Seems like this will solve itself then ;-)
(In reply to Tobias Leupold from comment #3) > Well, then it's obvious why this doesn't work at the moment. > Seems like this will solve itself then ;-) ... in just a few days, too! bug 809410. The best kind of bug!
Just to finally add this: After the migration to sys-libs/libxcrypt, lighttpd now also can handle bcrypted passwords. A complete reboot was necessary though, just restarting lighttpd wasn't enough. But it now works anyway :-)