Bug #2483

problems with htpasswd crypt(3) support [patch]

Added by sthen_ over 2 years ago. Updated over 2 years ago.

Status:FixedStart date:2013-04-24
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Missing in 1.5.x:No


I've been trying to use bcrypt with lighttpd's htpasswd support in mod_auth. Current versions of these look like this:


2a is the variant version; other ones currently used are 2x and 2y. 2 is long defunct.

09 is the log of the number of rounds.

The password AND salt are included in the final characters.

To compare a password you pass the entire hashed string to crypt() along with the user-supplied password, then compare the returned value against the stored value in the htpasswd file. This same method also works, at least in glibc and OpenBSD, for MD5 and for old-style crypted passwords; there is no need to split off the salt.

Diff attached.

crypt.diff Magnifier (1.25 KB) sthen_, 2013-04-24 22:52

Associated revisions

Revision 2869
Added by stbuehler over 2 years ago

[mod_auth] use crypt() on encrypted password instead of extracting salt first (fixes #2483)


#1 Updated by sthen_ over 2 years ago

"The password AND salt are included in the final characters." -- I meant, "included in the final argument".

#2 Updated by stbuehler over 2 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2869.

Also available in: Atom