使用自定义散列算法配置htpasswd以根据现有数据库验证用户 [英] Configure htpasswd to verify user against existing database with custom hashing algorithm

问题描述

我有一个用户数据库，其中密码以以下方式被腌制和散列：

  hash = md5（md5（password）+ salt）
  

我想创建私有目录为这个数据库中的任何用户，我想通过配置.htpasswd到这些目录的私人用户身份验证来实现。我已经介绍了几种处理这种方法的方法，但是没有人支持这种特殊的哈希算法：

• 使用htpasswd的默认值单一生成htpasswd条目 - 运行md5算法，在用户密码输入时生成。然而，与现有数据库中密码哈希值的存储方式相比，这会降低安全性。


• 使用 2 配置nofollow> mod_auth_mysql 以配置直接数据库访问。但是，该模块不支持自定义哈希算法，而是仅支持单一运行的salt + md5。

理想情况下，解决方案将使用现有的数据库，或者至少使用现有的算法，以便与当前存在的安全级别相同。更改数据库的密码散列算法不是一种选择，因为用户已经存在，我不想要求他们每个人重置密码（尽管如此，仍然使用较弱的算法）。

如何直接或间接在htpasswd中实现这种自定义数据库身份验证？

_{1 - 这是一个 VBulletin 用户数据库。}

^{2 - 服务器是运行Nginx，但安装了apache2-utils用于htpasswd编辑。}

正如Alexey所说 auth_request 是内置的预认证机制，可以与没有应用程序逻辑变化的集成，基本上你创建另一个内部后端位置，在允许请求发生之前命中。 Nginx 1.5.4+将此模块并入主repo源，因此不再需要额外的配置和编译步骤。

I have a database of users¹, in which passwords are salted and hashed in the following manner:

hash = md5(md5(password) + salt)

I would like to create private directories for any user in this database, and I envision doing so by configuring .htpasswd to private user authentication to these directories. I've looked into a few ways of approaching this, but none support this particular hashing algorithm:

• Generate htpasswd entries with htpasswd's default, single-run md5 algorithm, generated at time of user password entry. However, this is a reduction of security compared to how password hashes are stored in the existing database.
• Use mod_auth_mysql with Apache² to configure direct database access. However, this module doesn't support custom hashing algorithms and instead only supports single-run salt+md5.

Ideally, a solution will use the existing database, or at the very least the existing algorithm in order to allow for the same level of security as currently exists. Changing the database's password hashing algorithm is not an option, as users already exist and I do not wish to require every one of them to reset their passwords (to use a weaker algorithm, nonetheless).

How can I achieve this custom database authentication in htpasswd, directly or indirectly?

_{1 - This is a VBulletin user database.}

^{2 - The server is running Nginx, but apache2-utils is installed for htpasswd editing.}

解决方案

As Alexey said auth_request is the built-in pre-authentication mechanism can be integrated with no app logic change, basically you create another internal backend location, to hit before allow request to happen. Nginx 1.5.4+ got this module incorporated in main repo source so additional configure and compile step is no longer required.

这篇关于使用自定义散列算法配置htpasswd以根据现有数据库验证用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！