Thursday, August 19, 2010

mod_auth_mysql issue password mismatch

SkyHi @ Thursday, August 19, 2010
After 2 days of headbanging, i finally gave a thought of asking you guys, hope i get some positive feedback... here goes.
Has anyone got previous hands-on experience using :mod_auth_mysql.so" module?
My Working Environment is:

WinXP Pro
Apache 2.2.0
PHP 5.1.2
MySQL 5.0.20


My problem is:
i`m using mod_auth_mysql to restrict certain directories to certain users.
(ppl who`ve used before would know what i mean ) i configured everything according to the documentation provided by the *module* site.

Code:

#My htaccess file

ErrorDocument 401 /oops.html
ErrorDocument 404 /oops.html

AuthName "Area 51"
AuthType Basic
AuthMySQLHost "localhost"
AuthMySQLDB letmein
AuthMySQLUser wizard
AuthMySQLPassword nba2006
AuthMySQLUserTable user_info
AuthMySQLAuthoritative On
AuthMySQLEnable On
require valid-user
now when I try to access the protected folder I`m prompted to log-in, but once I do,
there is no change... the log-in prompt appears again. it doesn`t take me to the protected folder.
when I checked the error log, i got the following message...

Code:

[Tue May 23 20:13:33 2006] [error] [client 127.0.0.1] user test: password mismatch: /hta/archives/index.html, referer: <a onclick="pageTracker._trackPageview ('/outgoing/http_localhost_hta_');" href="http://localhost/hta/" target="_blank">http://localhost/hta/</a>
Does anyone know the cause for this error?
would appreciate some feedback.


Solution:

In my apache error.log, I get:
[Fri Jun 13 09:23:30 2008] [error] user MRUSER: password mismatch:/downloads
I'm using mysql and apache available from the ubuntu repository.
Here are the versions of the software I'm using now:
apache 2.2.8-1ubuntu0.2
mysql 14.12 Distrib 5.0.51a
ubuntu 8.04

Here's what I have for my configuration
<Directory /var/www/downloads>

AuthName "test"
AuthType Basic
AuthUserFile /dev/null
AuthBasicAuthoritative Off
AuthMySQLEnable On
AuthMySQLAuthoritative On
AuthMySQLHost 192.168.0.1
AuthMySQLDB dbname
AuthMySQLUser user
AuthMySQLPassword pass
AuthMySQLUserTable user
AuthMySQLNameField user_name
AuthMySQLPasswordField user_password
AuthMySQLPwEncryption md5
require valid-user
#require user John
</Directory>

I think it has something to do with the way the password in the database is being decrypted. The funny thing is, when I change the

AuthMySQLPwEncryption md5
to
AuthMySQLPwEncryption none

and copy+paste in the encrypted password exactly how it is in the database, I am able to authenticate ok and get to the directory I want.
Out of desperation, I went ahead and tried all of the configuration options:
AuthMySQLPwEncryption crypt | scrambled | md5 | aes | sha1
and none of them worked.
And, yes, I'm sure I'm entering the correct password in the username/password popup. :)
NOTE: create a table id, user, password

I was able to get the old passwords to work.
It turns out apache was not using a salt, but a simple md5 hash.
It could authenticate with an old set of passwords that werent made with a salt.

REFERENCES
http://www.ultrashock.com/forums/server-side/mod_auth_mysql-issue-81610.html
http://ubuntuforums.org/archive/index.php/t-827979.html