From owner-freebsd-questions@FreeBSD.ORG  Mon Jul  7 12:23:26 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 04B931065686
	for <freebsd-questions@freebsd.org>;
	Mon,  7 Jul 2008 12:23:26 +0000 (UTC)
	(envelope-from wmoran@potentialtech.com)
Received: from mail.potentialtech.com (internet.potentialtech.com
	[66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id CB56D8FC0A
	for <freebsd-questions@freebsd.org>;
	Mon,  7 Jul 2008 12:23:25 +0000 (UTC)
	(envelope-from wmoran@potentialtech.com)
Received: from vanquish.ws.pitbpa0.priv.collaborativefusion.com
	(pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.potentialtech.com (Postfix) with ESMTPSA id F4179EBC08;
	Mon,  7 Jul 2008 08:23:24 -0400 (EDT)
Date: Mon, 7 Jul 2008 08:22:22 -0400
From: Bill Moran <wmoran@potentialtech.com>
To: "Jos Chrispijn" <jos@webrz.net>
Message-Id: <20080707082222.eac3bbf6.wmoran@potentialtech.com>
In-Reply-To: <001201c8e02b$9c6e9ed0$d54bdc70$@net>
References: <001201c8e02b$9c6e9ed0$d54bdc70$@net>
X-Mailer: Sylpheed 2.4.8 (GTK+ 2.12.9; i386-portbld-freebsd7.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: .htaccess or OS related?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jul 2008 12:23:26 -0000

In response to "Jos Chrispijn" <jos@webrz.net>:

> I ran into a problem last night that I was able to solve, but generated a
> question:
> 
> I have this hosting provider (uses Debian OS) on which I can't use htpasswd
> to generate user and password to protect a single file. 
> 
> To have this done I solved it as follows: did a htpasswd on my own server
> (FreeBSD 7) and simply copied the file with the user:password (scrambled) to
> my home directory I have with this hosting provider and referred in the
> .htaccess to it. And now comes the fun stuff: it worked without probs.
> 
> 
> So the algorithm that is used on FreeBSD to scramble a user password is the
> same as it is used by Debian? Isn't that a security gap?

The algorithm is part of Apache and has little or nothing to do with
the OS on which it runs.

And the encryption used to store passwords in .htaccess files is known
to be weak.  If you need something strong, look to one of the other mod_*
security packages instead of .htaccess passwords.

-- 
Bill Moran
http://www.potentialtech.com