Apache基本身份验证,mod_authn_dbd和密码盐
[英]Apache basic auth, mod_authn_dbd and password salt
问题描述
Using Apache mod_auth_basic and mod_authn_dbd you can authenticate a user by looking up that user's password in the database. 
使用Apache mod_auth_basic和mod_authn_dbd ,可以通过在数据库中查找该用户的密码来对用户进行身份验证。 I see that working if the password is held in clear, but what if we use a random string as a salt (also stored in the database) then store the hash of the concatenation? 如果密码保持清晰,我可以正常工作,但是如果我们使用随机字符串作为盐(也存储在数据库中)然后存储串联的哈希怎么办?
mod_authn_dbd requires you to specify a query to select that password not to decide if the user is authenticated of not. mod_authn_dbd要求您指定一个查询以选择该密码,而不是决定是否对用户进行身份验证。 So you cannot use that query to concatenate the user provided password with the salt then compare with the stored hash. 因此,您不能使用该查询将用户提供的密码与盐连接起来,然后与存储的哈希值进行比较。
AuthDBDUserRealmQuery "SELECT password FROM authn WHERE user = %s AND realm = %s"
Is there a way to make this work? 有没有办法使这项工作?
1 个解决方案
解决方案1
0 2012-06-06 14:20:00
Looking at the Password Formats for Basic Auth it seemed that I could make this work if the hash is done using the apr_md5_encode function. 查看基本身份验证的密码格式 ,如果使用apr_md5_encode函数完成哈希操作,看来可以进行这项工作。
Found another question that relates to this and links to a Java implementation . 找到了与此相关的另一个问题 ,并链接到Java实现 。 I used that implementation with a small change to calculate the database hash inside my website normal user-creation flow. 我使用该实现进行了少量更改,以计算网站正常用户创建流程中的数据库哈希。 After this i could use mod_authn_dbd with this query: 之后,我可以在此查询中使用mod_authn_dbd:
AuthDBDUserRealmQuery "SELECT CONCAT('$apr1$',password_salt,'$',password_hash) FROM users WHERE user = %s AND realm = %s"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.