4

I want to use Apache's htpasswd util with my custom BasicAuthenticationAttribute in MVC. However, based on the htpasswd documentation, I am unsure how to compute a password hash for comparison to the htpasswd file. Is there a managed .NET library or some simple documentation that will help me figure this out?

Edit: The question pointed out by Heinzi is fine for SHA, but I also want to be able to handle the MD5 (APR1?) hash variant. I've seen a few code samples, but they're a bit too opaque for me to understand. Likewise for the actual code file linked to in the Apache documentation.

Ideally, I'd like to be able to take any client's .htpasswd file and drop it in to my ASP.NET site for authentication purposes, without constraints on which hash method is used.

Chris
  • 27,596
  • 25
  • 124
  • 225
  • This answer is for PHP, but the .NET library also contains classes for SHA1 and MD5: http://stackoverflow.com/questions/39916/programmaticly-building-htpasswd – Heinzi Mar 01 '13 at 08:02
  • @Chris your title is edited, c# has been removed. maybe you want to put it back since I think it's rather meaningful for this question – bas Mar 01 '13 at 08:04
  • 3
    I grow tired of overzealous editors on this damn site. I put C# in the title because in certain places on this site (e.g. the Related section on the right here), you don't see the tags, so you may not know it's a C# question if it's not in the title. This whole damn site network suffers from excessive moderation by wannabe site admins. – Chris Mar 01 '13 at 08:08
  • @Chris: This is collaborative site, so having your post edited by someone else is completely normal (improving formatting). Though I agree that not all of the edits made on your post are good. – nhahtdh Mar 01 '13 at 09:43
  • It's not even about whether the edits are acceptable. It's about whether they are necessary. Personal style and opinion is not a valid reason to edit posts. – Chris Mar 01 '13 at 09:51
  • Chris is right, edits should always respect the author's writing and formatting style as long as it's not incorrect or substandard. And besides, the first few edits made it worse anyway. @SonerGönül In regards to your title edit, please see http://meta.stackexchange.com/questions/19190/should-questions-include-tags-in-their-titles/130208#130208 It's OK to mention the language in the title as long as it isn't styled like a tag. – BoltClock Mar 01 '13 at 10:34
  • @BoltClock Thanks to all guys, you are right! Sorry about the wrong edit. I will be much more sensitive next time. – Soner Gönül Mar 01 '13 at 12:31

1 Answers1

5

I recently added support for Apache MD5 to CryptSharp. It can compute and verify these passwords for you. Since it's a variant you'll need to give an extra parameter to the Crypter.MD5.Crypt() method:

string cryptedPassword = Crypter.MD5.Crypt("HelloWorld", new CrypterOptions
  {
    { CrypterOption.Variant, MD5CrypterVariant.Apache }
  }));

To verify:

bool matches = Crypter.CheckPassword("HelloWorld", cryptedPassword);

You can also verify using the Crypt() method itself, but CheckPassword() automatically determines if it's Apache MD5, DES, etc.

Hope this helps

James

James
  • 1,874
  • 1
  • 16
  • 18
  • Apparently someone has cloned your source and made a nuget package for it. You should try to contact them to coordinate this effort so that the existing nuget package can be updated to include your recent release. https://github.com/ChrisMcKee/cryptsharp – Chris May 07 '13 at 18:27
  • Yes, I saw that and contacted him. He did not update it (except, oddly, the readme file), so I posted an official CryptSharp package: https://www.nuget.org/packages/CryptSharpOfficial/ – James May 17 '13 at 16:35