问题
I have a database of users1, in which passwords are salted and hashed in the following manner:
hash = md5(md5(password) + salt)
I would like to create private directories for any user in this database, and I envision doing so by configuring .htpasswd to private user authentication to these directories. I've looked into a few ways of approaching this, but none support this particular hashing algorithm:
- Generate htpasswd entries with htpasswd's default, single-run md5 algorithm, generated at time of user password entry. However, this is a reduction of security compared to how password hashes are stored in the existing database.
- Use mod_auth_mysql with Apache2 to configure direct database access. However, this module doesn't support custom hashing algorithms and instead only supports single-run salt+md5.
Ideally, a solution will use the existing database, or at the very least the existing algorithm in order to allow for the same level of security as currently exists. Changing the database's password hashing algorithm is not an option, as users already exist and I do not wish to require every one of them to reset their passwords (to use a weaker algorithm, nonetheless).
How can I achieve this custom database authentication in htpasswd, directly or indirectly?
1 - This is a VBulletin user database.
2 - The server is running Nginx, but apache2-utils is installed for htpasswd editing.
回答1:
As Alexey said auth_request is the built-in pre-authentication mechanism can be integrated with no app logic change, basically you create another internal backend location, to hit before allow request to happen. Nginx 1.5.4+ got this module incorporated in main repo source so additional configure and compile step is no longer required.
来源:https://stackoverflow.com/questions/31212471/configure-htpasswd-to-verify-user-against-existing-database-with-custom-hashing