Ok... I was fairly sure that this was the code to get passwords to be encrypted into the DES standard so that they could be authorized by .htaccess and .htpasswds for Basic Authentication


$salt = substr( $pass , 0 , 2 );
$enc_pw = crypt( $pass, $salt );


Take the first 2 charecters of the password as the salt to send through the PHP crypt proccess.... but, I'm not getting the right encrypted string...

Please tell me I'm doing this wrong so I don't think I'm completley crazy....

$crypass=crypt($pass);
$input2="$user:$crypass";
$fp=fopen($loc.".htaccess","a+");


$password = md5($password);

Its early, so I don't wanna test them, but thats from two differnt scritps.... No salt needed, I guess crypt and md5 take care of it...

Originally posted by Studio64

...

$salt = substr( $pass , 0 , 2 );
$enc_pw = crypt( $pass, $salt );

...


This is supposed to work. Let me check.

I just checked it and it looks like it's working.

Make sure you are giving it a 2 characters salt.

http://www.php.net/manual/en/function.crypt.php

BTW, it is not a good idea to use the first two characters of the password as salt, as this means revealing the first two characters of the password!

Try this one and give me the result:

phase: test
salt: tt

Example using the htpasswd command:


[ahmad@localhost ahmad]$ htpasswd -nbd user test
user:2B4vPzdiXoo1I


2B is the salt, randomly choosen by htpasswd.
4vPzdiXoo1I is the hash of the word test using 2B as a salt.

Hmmmm... I'm looking at this and your code:
crypt($pass,substr($pass,0,2));

Should be working fine... I dunno why its not....

OK...

With the encryption schemes given here...

http://std64.com/des.php

You can try them out...

None of them result in the encrypted values that appear in my .htpasswds file...

I was fairly positive that the first 2 were the correct salt and crypt schemes... But, it doesn't seem like it's working properly.

OK, now I get what you mean ..

You have a given password and you want to match it against an existing hash. The salt is the first two characters of the ENCRYPTED PASSWORD, not the clear password.

If you have this line for example:

Studio64:s3NTGmYLJVMy6

Then you should use s3 as the salt.

But, how do I encrypt it to begin w/...

I.e. I want to be able to accept a password in the PHP form then fput it to the .htpasswds file... I can't use a salt I don't have for the crypt function.... Chicken and the egg scene here.... Can the original DES encryption be mimic'd in PHP? Or do I have to execute it by script in the shell w/ htpasswd?

You generate the salt randomly :)

Ahh... Holy crap how obvious....
One of those really stupid moments of clarity where you realize how stupid you can actually be....

Well, thank you all, Ahmad indivdually for pointing out my logical lacking...

Let me explain this a bit more.

A salt is not a secret thing. It is just to make it harder to break using brute-force methods.

When you want to add a password to the list, you can generate a random salt to encrypt the password. The crypt password will automatically put the salt in front of the hash. So you will notice that the hash will always start with the salt.

So when you now have a password that is provided to you and you want to check it against the hashed password, you must encrypt it using the same salt. So you need to get the salt, which is, as I said, the first two characters of the hash.

Originally posted by Studio64
Ahh... Holy crap how obvious....
One of those really stupid moments of clarity where you realize how stupid you can actually be....

Well, thank you all, Ahmad indivdually for pointing out my logical lacking...

no problem. It took my a while to understand it myself :D