Security intergration to Apache .htpasswd?
Permalink
Hi There
We have around 250 members already registered for our members-only website and I have now installed Concrete5 on a subweb. Ideally I'd like to make use of existing user id's and passwords already stored in the Apache passwd-formatted .htpasswd file (which is not held in a web accessible place by the way).
Is there a way for me to point Concrete5 to that file to authenticate users?
The file looks something like:
"User1:$1$GOkzj7TY$Val9dzCTWUS5p1Epn2Gjv.
User2:$1$RWVVC5Ja$aBYX.idyNz0ofWesLFl0E0
User3:$......etc.."
Thanks a lot
Cliff
We have around 250 members already registered for our members-only website and I have now installed Concrete5 on a subweb. Ideally I'd like to make use of existing user id's and passwords already stored in the Apache passwd-formatted .htpasswd file (which is not held in a web accessible place by the way).
Is there a way for me to point Concrete5 to that file to authenticate users?
The file looks something like:
"User1:$1$GOkzj7TY$Val9dzCTWUS5p1Epn2Gjv.
User2:$1$RWVVC5Ja$aBYX.idyNz0ofWesLFl0E0
User3:$......etc.."
Thanks a lot
Cliff
another thing - never ever post your passwords! even if they are encrypted..
I suggest you change the password for user 1 and 2 as they are quite weak.
I suggest you change the password for user 1 and 2 as they are quite weak.
Hey Remo, fortunately they are completely fictitious, so no worries mate!
Cliff
Cliff
I can see you're not blonde (:
You wouldn't have been the first person to post a hash on the internet.. Is your wife's name isabel? ;-)
Do you have the password or just the hashes? If you have the passwords, it's quite easy to generate user accounts using the c5 api...
You wouldn't have been the first person to post a hash on the internet.. Is your wife's name isabel? ;-)
Do you have the password or just the hashes? If you have the passwords, it's quite easy to generate user accounts using the c5 api...
That sounds interesting.. We're a choir charity and we have a web-based member-administration system for our members-only website (not Concrete5). How it works is:
- The administrator registers new members with their email addy, userid and a temp password;
- This gets stored in a MySQL table and the script generates a password.txt file that contains the userid and hashed password;
- in the site root is a .htaccess which contains (more or less :) ) the following:
"SetEnv PROGRAMME_HOME ...../local/home/~user/programme_dir
AuthType Basic
AuthName Restricted
AuthUserFile ...../local/home/~user/programme_dir/~path1/~path2/password.txt
Require valid-user"
So I guess that to answer your question, YES, I have access to the userid, unencrypted password and email addy so could very well use the API to generate user accounts...
If you could point me in the right direction on how to do that I would very much appreciate that!
By the way, before I stumbled accross Concrete5 I installed PMWiki and they have a module called AuthUser which can call this password.txt file so that users don't have to reregister for a PMWiki site, but then Concrete5 is SO much more user-friendly and fantastic really!
Cheers
Cliff
- The administrator registers new members with their email addy, userid and a temp password;
- This gets stored in a MySQL table and the script generates a password.txt file that contains the userid and hashed password;
- in the site root is a .htaccess which contains (more or less :) ) the following:
"SetEnv PROGRAMME_HOME ...../local/home/~user/programme_dir
AuthType Basic
AuthName Restricted
AuthUserFile ...../local/home/~user/programme_dir/~path1/~path2/password.txt
Require valid-user"
So I guess that to answer your question, YES, I have access to the userid, unencrypted password and email addy so could very well use the API to generate user accounts...
If you could point me in the right direction on how to do that I would very much appreciate that!
By the way, before I stumbled accross Concrete5 I installed PMWiki and they have a module called AuthUser which can call this password.txt file so that users don't have to reregister for a PMWiki site, but then Concrete5 is SO much more user-friendly and fantastic really!
Cheers
Cliff
Yes I can see you're not blonde at all (:
It's sometimes a bit tricky since you don't know the people you're talking to...
But nice to have some more smarts in this community!
Here's what should work: Create a single page are anything where you have access to the c5 api. You get access to the api if you open a page through "index.php"..
There you can use something like:
The second parameter of encryptPassword ist the salt which you can find in the file config/site.php
It's sometimes a bit tricky since you don't know the people you're talking to...
But nice to have some more smarts in this community!
Here's what should work: Create a single page are anything where you have access to the c5 api. You get access to the api if you open a page through "index.php"..
There you can use something like:
$email = '...'; $password = User::encryptPassword('your-password', 'salt-see-config-site.php'); UserInfo::addSuperUser($password, $email);
The second parameter of encryptPassword ist the salt which you can find in the file config/site.php
you probably don't want to create a super user.
check concrete/models/userinfo.php
the method add is probably what you're looking for..
check concrete/models/userinfo.php
the method add is probably what you're looking for..
It's certainly possible to create your own authentication function which checks the htuser file but that's not done in 5 minutes.
Since the hash is generate in a different way you also can't copy the password into the c5 user table...
Sounds like a custom job to me! ):