Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Apache htpasswd secure password change

My question is simple.

How to allow users to change their passwords stored in some htpasswd file in linux without revealing the files content or allow users to modify other passwords?

I tried to write a script to do that job using ssh and specialy-designed user but it leads noway.

Please help. I am using Debian server "Lenny".

like image 627
Rusty Horse Avatar asked Jan 19 '11 14:01

Rusty Horse


People also ask

How do I reset my Apache password?

Enter your Apache User ID and we will send a password reset email to your [email protected] address. The email will be encrypted to your public PGP key, if your profile identifies one. If the email doesn't arrive, email root@ for assistance.

How do I generate htpasswd password?

Use the htpasswd generator to create passwords for htpasswd files. Just enter username and password and an entry for a htpasswd file is generated. You can use the htaccces Authentication generator to create a htaccess file that will password protect your site or a directory.


1 Answers

The Apache htpasswd file does not support any shadow functionality. Therefor you have to prevent the users accessing your web server in order to keep them away from the password file. So the only solution is your SSH based approach or any other remote solution. The following description will explain how to write a SSH command script to change the password only if the user knows his old password. The major problem is, that Apache does not provide a command line tool to verify a password in a htpasswd file. But this can be done by hand.

The following description assumes that the web server user is www-data and that the home directory of the user is /var/www.

First you have to create a htpasswd file, that is writable by the web server user:

# ls -la .htpasswd
-rw-r--r-- 1 www-data root 18 10. Mai 16:30 .htpasswd

Then you have to add the keys of all your users to the authorized_keys file of the web server user. You have to prefix each line with the command option.

# cat .ssh/authorized_keys 
command="/var/www/.htpasswd.sh" ssh-rsa AAAA... user@host

Whenever a user connects with his key only the .htpasswd.sh gets executed. The users do not have any shell access to the web server.

This is the script to change the password:

#! /bin/bash

HTPASSWD=/var/www/.htpasswd

die () { echo "$*" >&2 ; exit 1 ; }

read -p 'Enter user name: ' USER
read -s -p 'Old password: ' OLDPW ; echo
read -s -p 'New password: ' NEWPW0 ; echo
read -s -p 'Re-type new password: ' NEWPW1 ; echo

if LINE=$(grep ^"$USER": "$HTPASSWD")
then
    echo "$LINE" | sed 's/.*:\(..\)\(.\+\)/\1 \2/' | { 
        read SALT CRYPT
        if [[ "$SALT$CRYPT" = $(echo "$OLDPW" | mkpasswd -sS "$SALT") ]] ; then
            if [ "$NEWPW0" != "$NEWPW1" ] ; then
                die "Password verification error!"
            fi
            PWS=$(grep -v ^"$USER:" "$HTPASSWD")
            {
                echo "$PWS"
                echo -n "$USER:"
                echo "$NEWPW0" | mkpasswd -s
            } > "$HTPASSWD"
            echo "Updating password for user $USER."
        else
            die "Password verification error!"
        fi
    }
else
    die "Password verification error!"
fi

The tricky part is the password verification. It is done by reading the old salt and encrypting the old password with the old salt. The result is compared with the old encrypted password in the htpasswd file.

Now the user can connect to the web server in order to change the password:

$ ssh www-data@localhost
Enter user name: szi
Old password: 
New password: 
Re-type new password: 
Updating password for user szi.
Connection to localhost closed.

Everybody can change only his own password and nobody has access to the encrypted passwords of the other users. This solution has an additional benefit about using the original htpasswd program in a shell script, because the passwords are never used as a command line argument. This would not be possible with htpasswd, because it can not read the password from stdin like mkpasswd.

like image 177
ceving Avatar answered Sep 21 '22 12:09

ceving