The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password Protected Directories and Comparing Passwords

Discussion in 'cPanel Developers' started by netarus, May 26, 2010.

  1. netarus

    netarus Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Hi All,

    I'm using the cPanel File Manager to set passwords on directories and write a custom application to authenticate users into those directories. For example:

    1) Login to cpanel
    2) Set a username and password on a directory under Password Protect Directories
    3) Acces our custom PHP application and inside of it ompare the string passed by the user and what was generated in the under /home/SITENAME/.htpasswds/public_html/DIRECTORY/passwd

    This is where the problem starts - we cannot seem to get the passwords to match when encrypted the new one with the one found inside of the passwd file.

    I found a useful function to address the whole apr nature of the encryption from a function called function crypt_apr1_md5($plainpasswd) on PHP: crypt - Manual by another user. I was able to generate a string with the apr function; however, the salt is always going to be random.

    Code:
    $apr1$f0usodex$pX1L0ciSNZtR3HRx6eGsm0
    While the version in the passwd file is something like:

    Code:
    $apr1$qiC5Xk6S$LBAAJxUfDHN3Uz83bni6D/
    Any pointers on how to compare encrypted passwords generated by Password Protect Directories inside of cPanel would be greatly appreciated.

    Thank you.
     
  2. MattDees

    MattDees cPanel Product Owner
    Staff Member

    Joined:
    Apr 29, 2005
    Messages:
    417
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The hashes will not match for the same password, this is not how a one-way hash works. These are digital representations that will match the password however do not store the password in any way.

    f.ex:

    root@matt [~]# /usr/local/apache/bin/htpasswd -bm test test test
    Updating password for user test
    root@matt [~]# /usr/local/apache/bin/htpasswd -bm test test2 test
    Updating password for user test2
    root@matt [~]# cat test
    test:$apr1$HOsls...$s7iu13U0oZ07oKqDdZ5Wu.
    test2:$apr1$NFr.k/..$iLrQby14BkzGzG2gvPn9p.


    and input the same password both time, it will not match.


    When cPanel executes this we actually provide an api call for modifying this file.

    in turn this API call will either use a perl module that we made for modify this or use htpasswd provided by apache

    ApiHtaccess < ApiDocs/Api1 < TWiki

    this API call can be used in conjunction with the XMLAPI a'la

    /xml-api/cpanel?cpanel_xmlapi_apiversion=1&cpanel_xmlapi_module=Htaccess&cpanel_xmlapi_func=set_pass&arg-0=$dir&arg-1=$user&arg-2=$pass

    This is probably your most fail-safe method of interacting with the the htpasswd file.
     
  3. netarus

    netarus Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Thanks, Matt.

    So I should run that API function with the username and password and then compare it or is there a cPanel API function that I should use to validate the username and password is accurate inside of the htpasswd file?
     
  4. netarus

    netarus Well-Known Member

    Joined:
    Oct 27, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    Anyone know if there is a function similar to set_pass to compare the password? Nothing inside of ApiHtaccess < ApiDocs/Api1 < TWiki immediately pops out to me.
     
Loading...

Share This Page