Verify user and password against a file created by htpasswd

Question

Is there a way, from the command line, to check a user and password against a file created by htpasswd, the tool provided by Apache?

Answer 1

You can use the htpasswd tool for this.

# create htpasswd_file with user:password
$ htpasswd -cb htpasswd_file user password
Adding password for user user

# verify password for user
$ htpasswd -vb htpasswd_file user wrongpassword
password verification failed

$ htpasswd -vb htpasswd_file user password
Password for user user correct.

Exit status is 0 for success, 3 for failure.

Answer 2

Assuming you create the password using the following command and "myPassword" as the password

htpasswd -c /usr/local/apache/passwd/passwords username

This will create a file that looks like

username:$apr1$sr15veBe$cwxJZHTVLHBkZKUoTHV.k.

The $apr1$ is the hashing method, sr15veBe is the salt, and the last string is the hashed password. You can validate it using openssl using

openssl passwd -apr1 -salt sr15veBe myPassword

which will output

$apr1$sr15veBe$cwxJZHTVLHBkZKUoTHV.k.

A pipeline which you could use would be:

username="something"
htpasswd -c /usr/local/apache/passwd/passwords $username
****Enter password:****

salt=$($(cat passwords | cut -d$ -f3)
password=$(openssl passwd -apr1 -salt $salt)
****Enter password:****

grep -q $username:$password passwords 
if [ $? -eq 0 ]
 then echo "password is valid"
else 
 echo "password is invalid"
fi

You may need to change your openssl command, as Apache's htpasswd command crypts slightly differently on each system.

For more information, visit Apache's page on the topic at http://httpd.apache.org/docs/2.2/misc/password_encryptions.html