scripts/htpasswd


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

#!/usr/bin/env python
# Based on FreeBSD src/lib/libcrypt/crypt.c 1.2
# http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libcrypt/crypt.c?rev=1.2&content-type=text/plain
#
# Original license:
# * "THE BEER-WARE LICENSE" (Revision 42):
# * <phk@login.dknet.dk> wrote this file.  As long as you retain this notice you
# * can do whatever you want with this stuff. If we meet some day, and you think
# * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
#
# This port adds no further stipulations.  I forfeit any copyright interest.

from __future__ import print_function
import md5
import random
import string
import sys
import getpass

def hash(password, salt, magic='$apr1$'):
    # /* The password first, since that is what is most unknown */ /* Then our magic string */ /* Then the raw salt */
    m = md5.new()
    m.update(password + magic + salt)

    # /* Then just as many characters of the MD5(pw,salt,pw) */
    mixin = md5.md5(password + salt + password).digest()
    for i in range(0, len(password)):
        m.update(mixin[i % 16])

    # /* Then something really weird... */
    # Also really broken, as far as I can tell.  -m
    i = len(password)
    while i:
        if i & 1:
            m.update('\x00')
        else:
            m.update(password[0])
        i >>= 1

    final = m.digest()

    # /* and now, just to make sure things don't run too fast */
    for i in range(1000):
        m2 = md5.md5()
        if i & 1:
            m2.update(password)
        else:
            m2.update(final)

        if i % 3:
            m2.update(salt)

        if i % 7:
            m2.update(password)

        if i & 1:
            m2.update(final)
        else:
            m2.update(password)

        final = m2.digest()

    # This is the bit that uses to64() in the original code.

    itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'

    rearranged = ''
    for a, b, c in ((0, 6, 12), (1, 7, 13), (2, 8, 14), (3, 9, 15), (4, 10, 5)):
        v = ord(final[a]) << 16 | ord(final[b]) << 8 | ord(final[c])
        for i in range(4):
            rearranged += itoa64[v & 0x3f]; v >>= 6

    v = ord(final[11])
    for i in range(2):
        rearranged += itoa64[v & 0x3f]; v >>= 6

    return magic + salt + '$' + rearranged

def usage():
    print('%s: usage: %s [-cD] passwdfile username' %
        (sys.argv[0], sys.argv[0]), file=sys.stderr)

def salt(len):
    return ''.join([random.choice(string.ascii_letters + string.digits)
        for x in range(len)])

def write_passwords(passwords, path):
    with open(path, 'w') as f:
        for (username, pwhash) in passwords:
            f.write('%s:%s\n' % (username, pwhash))

def ask_password():
    x = getpass.getpass('New password: ')
    y = getpass.getpass('Re-type password: ')

    return x if x == y else None

if len(sys.argv) not in [3, 4]:
    if len(sys.argv) == 4 and sys.argv[1] not in ['-c', '-D', '-cD', '-Dc']:
        usage()
        sys.exit(2)

flags = len(sys.argv) == 4
create_flag = flags and 'c' in sys.argv[1]
delete_flag = flags and 'D' in sys.argv[1]

if create_flag and delete_flag:
    print('%s: -c and -D options conflict' % sys.argv[0], file=sys.stderr)
    sys.exit(2)

file_path = sys.argv[flags + 1]
username = sys.argv[flags + 2]

if not delete_flag:
    password = ask_password()

    if password == None:
        exit("%s: passwords weren't the same" % sys.argv[0])

contents = []
found = False

if not create_flag:
    with open(file_path, 'r') as f:
        # read in the existing passwd file
        # replace entry for 'username' with entry containing new hash
        # unless -D is used, in which case we remove the entry
        #
        # example entry: username:$apr1$gdehCd2T$ppFjRXlf1alPKSHqcBrjk0

        for line in f:
            (u, ph) = string.split(line.strip('\n'), ':')

            if u == username:
                if not delete_flag:
                    ph = hash(password, salt(8))
                    print('Updating password for user %s' % username)
                    contents.append((u, ph))

                found = True
            else:
                contents.append((u, ph))

if not found:
    if delete_flag:
        print('User %s not found' % username)
    else:
        print('Adding password for user %s' % username)
        contents.append((username, hash(password, salt(8))))

write_passwords(contents, file_path)