Tuesday, October 18, 2011

FreeBSD Password Protected Folder

Issue: We were presented with a site hosted on a FreeBSD server that had a password protected folder when viewed with a browser.  The customer wanted to update the password.  They used to use http://home.flash.net/cgi-bin/pw.pl but it has been retired.
Solution: We were able to track down the password file the folder was using.  But we couldn't figure out how to encrypt a new password.
We discovered htpasswd on the FreeBSD Server.  We putty'd into the box, then ran htpasswd four times using each encryption method below.  Then copy/pasted that value into the password file next to the username until we could authenticate to the site.  We tested with the follow switches. 
  • -n = simply display the output (don't create a file)
  • -b = use the password from the command line
  • htpasswd -nb apacheuser topsecretpassword
  • htpasswd -nmb apacheuser topsecretpassword - "Force MD5 encryption"
  • htpasswd -nsb apacheuser topsecretpassword - "Force SHA encryption"
  • htpasswd -ndb apacheuser topsecretpassword- Uses Crypt 
We discovered the site was using Crypt as we were able to authenticate.