crypt(), authentication, and my new server

poprishchin has asked for the wisdom of the Perl Monks concerning the following question:

I am moving a whole bunch of scripts/files to a new server, including "singup" scripts that generate encrypted passwords to be saved in an .htpasswd file. The new server (which uses "cPanel X") features a password protection feature where you manually enter a username/password and it encrypts/saves the info for you in the .htpasswd file.

The problem is this: the encryption method on my server doesn't seem to match what I used to do in my scripts, which means a) the old .htpasswd file is useless and b) I can't figure out how to automatically generate encrypted passwords.

Amy I missing something simple? The code below worked well on my old server. (I lifted the CryptPasswd() code from somewhere...)

#!/usr/bin/perl -w
use strict;
use CGI qw/:standard/;

my $username = $query->param('username'); 
my $password = $query->param('password'); 

my $pwd = CryptPasswd($username, $password);

sub CryptPasswd {
    my ($self) = shift;
    my ($passwd, $salt) = @_;

    if ($salt) {
          # Make sure only use 2 chars
      $salt = substr ($salt, 0, 2); } 

        else {
      ($salt = substr ($0, 0, 2)) =~ tr/:/C/; }

    return crypt ($passwd, $salt);
}
[download]

(PS - I do not have the ability to install modules, and only have a limited number at my disposal...) Thank you for any wisdom...

Comment on crypt(), authentication, and my new server Download Code

Replies are listed 'Best First'.
Re: crypt(), authentication, and my new server by shmem (Chancellor) on May 04, 2007 at 09:30 UTC
The problem is this: the encryption method on my server doesn't seem to match what I used to do in my scripts, which means a) the old .htpasswd file is useless and b) I can't figure out how to automatically generate encrypted passwords. What do those encrypted passwords look like? If the "cPanel X" developers didn't roll their own encryption mechanism, they should be using the system's crypt library, and it is likely perls crypt can deal with it. You may just need another "salting": `perl -le 'print crypt "secret","\$1\$perlhack\$"' $1$perlhack$8F6u9tXAeAq4QtPWDJJwi.` [download] The "perlhack" part of the salt should be a random generated string of course. As for a) - did you try your old .htpasswd files? They might "just work". --shmem _($_=" "x(1<<5)."?\n".q·/)Oo. G°\ / /\_¯/(q / ---------------------------- \__(m.====·.(_("always off the crowd"))."· ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}	[reply] [d/l]
Re: crypt(), authentication, and my new server by zentara (Cardinal) on May 04, 2007 at 12:18 UTC
To amplify on shmem's response, you can have md5 or sha digests, and they will reveal themselves by the $1 or $2 . #!/usr/bin/perl use Crypt::PasswdMD5; #The secret to getting crypt to work correctly is in providing #a salt starting with '$1$' and having 8 characters #(instead of the normal 2 used for DES-crypt). #There are similar conventions for using other crypt variants #(e.g. '$2$' for SHA-crypt). my $passwd = 'whoopdeedoo'; my $salt = '$1$qwertyuz'; print "md5crypt salt= $salt \n"; print "-------------------------------------\n"; my $crypted = unix_md5_crypt $passwd, $salt; print "$crypted\n"; my $crypted = crypt $passwd, $salt; #crypt works as well print "$crypted\n"; print crypt ($passwd, $salt), "\n"; ###################################################################### print "#################################################\n"; print "des crypt salt= xy \n"; my $passwd = 'whoopdedoo'; my $salt = 'xy'; print "-------------------------------------\n"; my $crypted = crypt $passwd, $salt; print "$crypted\n"; print crypt ($passwd, $salt), "\n"; #Note that the MD5-based crypt() is not the same as #obtaining the hash of your password with Digest::MD5 or similar. #The algorithm used internally by the MD5-based crypt() uses a #number of transformations in which the MD5 algorithm is used, #but is very different. #Crypt::PasswdMD5 implements this algorithm in Perl, #allowing you to reproduce the result of said crypt() functions #in non-*nix systems or systems without a compatible crypt() #implementation. [download] I'm not really a human, but I play one on earth. Cogito ergo sum a bum	[reply] [d/l]