Password Protected Directories and Comparing Passwords

netarus

Well-Known Member
Oct 27, 2002
105
0
166
Hi All,

I'm using the cPanel File Manager to set passwords on directories and write a custom application to authenticate users into those directories. For example:

1) Login to cpanel
2) Set a username and password on a directory under Password Protect Directories
3) Acces our custom PHP application and inside of it ompare the string passed by the user and what was generated in the under /home/SITENAME/.htpasswds/public_html/DIRECTORY/passwd

This is where the problem starts - we cannot seem to get the passwords to match when encrypted the new one with the one found inside of the passwd file.

I found a useful function to address the whole apr nature of the encryption from a function called function crypt_apr1_md5($plainpasswd) on PHP: crypt - Manual by another user. I was able to generate a string with the apr function; however, the salt is always going to be random.

Code:
$apr1$f0usodex$pX1L0ciSNZtR3HRx6eGsm0
While the version in the passwd file is something like:

Code:
$apr1$qiC5Xk6S$LBAAJxUfDHN3Uz83bni6D/
Any pointers on how to compare encrypted passwords generated by Password Protect Directories inside of cPanel would be greatly appreciated.

Thank you.
 

MattDees

Well-Known Member
Apr 29, 2005
416
1
243
Houston, TX
cPanel Access Level
Root Administrator
The hashes will not match for the same password, this is not how a one-way hash works. These are digital representations that will match the password however do not store the password in any way.

f.ex:

[email protected] [~]# /usr/local/apache/bin/htpasswd -bm test test test
Updating password for user test
[email protected] [~]# /usr/local/apache/bin/htpasswd -bm test test2 test
Updating password for user test2
[email protected] [~]# cat test
test:$apr1$HOsls...$s7iu13U0oZ07oKqDdZ5Wu.
test2:$apr1$NFr.k/..$iLrQby14BkzGzG2gvPn9p.


and input the same password both time, it will not match.


When cPanel executes this we actually provide an api call for modifying this file.

in turn this API call will either use a perl module that we made for modify this or use htpasswd provided by apache

ApiHtaccess < ApiDocs/Api1 < TWiki

this API call can be used in conjunction with the XMLAPI a'la

/xml-api/cpanel?cpanel_xmlapi_apiversion=1&cpanel_xmlapi_module=Htaccess&cpanel_xmlapi_func=set_pass&arg-0=$dir&arg-1=$user&arg-2=$pass

This is probably your most fail-safe method of interacting with the the htpasswd file.
 

netarus

Well-Known Member
Oct 27, 2002
105
0
166
Thanks, Matt.

So I should run that API function with the username and password and then compare it or is there a cPanel API function that I should use to validate the username and password is accurate inside of the htpasswd file?
 

netarus

Well-Known Member
Oct 27, 2002
105
0
166
in turn this API call will either use a perl module that we made for modify this or use htpasswd provided by apache

ApiHtaccess < ApiDocs/Api1 < TWiki

this API call can be used in conjunction with the XMLAPI a'la

/xml-api/cpanel?cpanel_xmlapi_apiversion=1&cpanel_xmlapi_module=Htaccess&cpanel_xmlapi_func=set_pass&arg-0=$dir&arg-1=$user&arg-2=$pass
Anyone know if there is a function similar to set_pass to compare the password? Nothing inside of ApiHtaccess < ApiDocs/Api1 < TWiki immediately pops out to me.