Basic_auth plain text password

Hi,

I am running nginx/0.8.50, and i am using “auth_basic” for basic
authentication. Now what i have found so far is that it looks like
nginx is treating the passwords as plain text. My basic idea is that
Nginx does not encrypt the password that it gets with MD5 or any other
algorithm, and simply checks password that is sent as plain text.
is this true or am i missing something?

Here is part of my configuration:

location / {
limit_except POST { # do this for all requests but GETS
auth_basic “Restricted”;
auth_basic_user_file passwd;
proxy_pass http://localhost:8250;
}

Configuration is valid:

C:\ProgramFiles\nginx>nginx.exe -t
the configuration file C:\ProgramFiles\nginx/conf/nginx.conf syntax is
ok
configuration file C:\ProgramFiles\nginx/conf/nginx.conf test is
successful

Contents of passswd file:
aaa:hxd1LrV11sUPs
bbb:/vtymnRvQGh52
qqq:aaa
ccc:ccc

What i have found is that if i try user aaa, or bbb, for which
passwords are generated with Apache htpasswd utility i get log error

2010/09/09 19:46:46 [error] 5596#560: *3 user “aaa”: password
mismatch, client: 9.183.126.52, server: myserver, request: “GET
/shortlog/d6b56cc4c6d1 HTTP/1.1”, host: “myhost”
2010/09/09 19:47:16 [error] 5596#560: *3 user “bbb”: password
mismatch, client: 9.183.126.52, server: myserver, request: “GET
/shortlog/d6b56cc4c6d1 HTTP/1.1”, host: “myhost”

If i try connecting with user ccc and password ccc, user is allowed.

I’ve found on google some mails in mailing lists that tell that this
might not yet be implemented (can’t find that URL now).
And, by the way, OS is WinXP.


LinkÄ—jimai, Best Regards

Darius Damalakas

Hello!

On Fri, Sep 10, 2010 at 10:02:24AM +0300, Darius Damalakas wrote:

I am running nginx/0.8.50, and i am using “auth_basic” for basic
authentication. Now what i have found so far is that it looks like
nginx is treating the passwords as plain text. My basic idea is that
Nginx does not encrypt the password that it gets with MD5 or any other
algorithm, and simply checks password that is sent as plain text.
is this true or am i missing something?

[…]

I’ve found on google some mails in mailing lists that tell that this
might not yet be implemented (can’t find that URL now).
And, by the way, OS is WinXP.

Windows has no crypt() function and only plain text passwords are
supported for now.

Maxim D.

Thanks for answer

2010/9/10 Maxim D. [email protected]:


nginx mailing list
[email protected]
http://nginx.org/mailman/listinfo/nginx


LinkÄ—jimai, Best Regards

Darius Damalakas

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs