Created
January 25, 2024 17:23
-
-
Save mariotpc/7df3ff9a0e1006687c1637b3618cd99e to your computer and use it in GitHub Desktop.
lighttpd username , password authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Taken from: | |
| https://redmine.lighttpd.net/boards/2/topics/7984 | |
| Forums » Support » | |
| [Solved] username / password authentication | |
| Added by drkbkr almost 6 years ago | |
| Hi, We're having some trouble with username / password authentication and was wondering if anyone could help. I've stripped pieces of the configuration out (and changed the backend to plain) so it's as simple as possible. | |
| Partly what I'm asking for help with is just debugging, but if I'm doing anything obviously wrong pointing that out would be appreciated. | |
| Relevant information: | |
| uname -a | |
| Linux buildroot 4.9.0-xilinx #1 SMP PREEMPT Wed Mar 28 12:34:04 EDT 2018 armv7l GNU/Linux | |
| lighttpd -v | |
| lighttpd/1.4.48 (ssl) - a light and fast webserver | |
| cat /etc/lighttpd/lighttpd-no-apps.config | |
| server.errorlog = "/var/log/lighttpd_error.log" | |
| accesslog.filename = "/var/log/lighttpd_access.log" | |
| server.modules = ( | |
| "mod_accesslog", | |
| "mod_auth", | |
| "mod_authn_file" | |
| ) | |
| auth.backend = "plain" | |
| auth.backend.plain.userfile = "/etc/lighttpd/.lighttpd_plain_passwd" | |
| auth.require = ("/test" => | |
| ( | |
| "method" => "basic", | |
| "realm" => "Enter password", | |
| "require" => "valid-user" | |
| ) | |
| ) | |
| server.document-root="/var/www" | |
| mimetype.assign = ( | |
| ".html" => "text/html" | |
| ) | |
| index-file.names = ( "index.html" ) | |
| cat /etc/lighttpd/.lighttpd_plain_passwd | |
| foo:foo | |
| lighttpd is started (as root) with this command: | |
| /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd-no-apps.config | |
| Then I run curl: | |
| curl -v -u foo:foo http://192.168.1.2/test | |
| * Trying 192.168.1.2... | |
| * TCP_NODELAY set | |
| * Connected to 192.168.1.2 (192.168.1.2) port 80 (#0) | |
| * Server auth using Basic with user 'foo' | |
| > GET /test HTTP/1.1 | |
| > Host: 192.168.1.2 | |
| > Authorization: Basic Zm9vOmZvbw== | |
| > User-Agent: curl/7.59.0 | |
| > Accept: */* | |
| > | |
| < HTTP/1.1 401 Unauthorized | |
| * Authentication problem. Ignoring this. | |
| < WWW-Authenticate: Basic realm="Enter password", charset="UTF-8" | |
| < Content-Type: text/html | |
| < Content-Length: 351 | |
| < Date: Wed, 18 Apr 2018 15:03:54 GMT | |
| < Server: lighttpd/1.4.48 | |
| < | |
| <?xml version="1.0" encoding="iso-8859-1"?> | |
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" | |
| "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> | |
| <head> | |
| <title>401 - Unauthorized</title> | |
| </head> | |
| <body> | |
| <h1>401 - Unauthorized</h1> | |
| </body> | |
| </html> | |
| * Connection #0 to host 192.168.1.2 left intact | |
| In the error log I find: | |
| 2018-04-18 15:03:54: (mod_auth.c.525) password doesn't match for /test username: foo, IP: 192.168.1.3 | |
| Thanks in advance, | |
| Derek | |
| Replies (7) | |
| RE: username / password authentication - Added by gstrauss almost 6 years ago | |
| The config works fine -- I just tested it as a non-root user on a high port. (I am running lighttpd 1.4.49 + dev branch, but should be the same behavior) | |
| Make sure you have properly restarted lighttpd and verify that you are using 'foo' (without quotes) as password, based on the info you provided above. | |
| RE: username / password authentication - Added by drkbkr almost 6 years ago | |
| Thanks. | |
| I don't use curl often but I think the command | |
| curl -v -u foo:foo http://192.168.1.2/test | |
| should send the user name and password as expected. | |
| And I think | |
| killall lighttpd | |
| , confirming it's not running anymore, then running | |
| /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd-no-apps.config | |
| should start it up correctly. But I've also rebooted and let the init system start it up too. | |
| I think for my sanity's sake I'll rebuild lighttpd with some extra debug output so I can see what it's comparing when it's matching passwords. Maybe we have some really weird network and / or file system problem. | |
| RE: username / password authentication - Added by gstrauss almost 6 years ago | |
| Check the contents of /etc/lighttpd/.lighttpd_plain_passwd and maybe check your editor. | |
| Rewrite the file with: $ echo foo:foo > /etc/lighttpd/.lighttpd_plain_passwd | |
| The following works fine for me | |
| $ curl -u foo:foo http://127.0.0.1:8080/test | |
| with lighttpd.conf | |
| server.port = 8080 | |
| server.document-root = "/var/www" | |
| index-file.names = ( "index.html" ) | |
| mimetype.assign = ( ".html" => "text/html" ) | |
| server.modules = ( "mod_auth", "mod_authn_file" ) | |
| auth.backend = "plain" | |
| auth.backend.plain.userfile = "/etc/lighttpd/.lighttpd_plain_passwd" | |
| auth.require = ("/test" => | |
| ("method" => "basic", "realm" => "Enter password", "require" => "valid-user" ) | |
| ) | |
| RE: username / password authentication - Added by drkbkr almost 6 years ago | |
| Some new information: | |
| I added the line | |
| log_error_write(srv, __FILE__, __LINE__, "sb", "username is", username); | |
| at line 505 of mod_auth.c. | |
| When I use foo:foo in the curl command, | |
| 2018-04-19 13:24:34: (mod_auth.c.505) username is foo:foo?\xfd | |
| is written to the log. | |
| When I use foo:fo in the curl command, | |
| 2018-04-19 13:24:41: (mod_auth.c.505) username is foo:fo | |
| is written to the log. | |
| After some experimentation we've come to the conclusion that if the length of that username string (including the colon) isn't a multiple of 3, something is padding the end of the string. | |
| Some other info: we're building lighttpd for arm (little endian) using buildroot, which is using the Linaro ARM 2017.11 compiler. | |
| Thanks again for your help. | |
| Derek | |
| RE: username / password authentication - Added by drkbkr almost 6 years ago | |
| And a bit more. | |
| I've also printed out the authentication header: | |
| log_error_write(srv, __FILE__, __LINE__, "sb", "ds is: ", ds->value); | |
| on line 466 of mod_auth.c. That value matches what curl is sending. I took that value (Zm9vOmZvbw==) and passed it through the base64 command and get foo:foo in response. But when it goes through buffer_append_base64_decode in base64.c it comes out padded with the extra characters. | |
| RE: username / password authentication - Added by avij almost 6 years ago | |
| https://github.com/lighttpd/lighttpd1.4/commit/d4083effab0f9bf76528d5c47198b17e7471ed13 is probably related. This bug affects base64 decode on some unusual CPU architectures. | |
| Applying the patch or upgrading to 1.4.49 should resolve your issue. | |
| RE: username / password authentication - Added by drkbkr almost 6 years ago | |
| Thanks guys, the patch got it fixed up. | |
| (1-7/7) | |
| Powered by Redmine © 2006-2023 Jean-Philippe Lang | |
| 2018-04-19 05:11 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment