1. Forum
  2. USENET
  3. news.software.nntp

  • INN2, unofficial rewrite ckpasswd in PHP to bad experiment compatible with htpasswd bcrypt or sqlite db authentication method.

    From Roberto CORRADO@i@secure.corradoroberto.it to news.software.nntp on Fri Feb 27 16:45:08 2026
    From Newsgroup: news.software.nntp

    Dear newsadmin,
    I am writing because I should like to share my bad script who might need it... I consider bcrypt to be a good level of security for encrypting passwords.
    I hope I have done something pleasing
    have a nice day.
    --
    Roberto https://secure.corradoroberto.it/m9/usenet2/newsgroups.php?art_group=news.software.nntp&article_id=1486
    """
    #!/usr/bin/php
    <?php
    // APR1-MD5 encryption method (windows compatible)
    function crypt_apr1_md5($plainpasswd, $salt){
    $tmp = "";
    $len = strlen($plainpasswd);
    $text = $plainpasswd.'$apr1$'.$salt;
    $bin = pack("H32", md5($plainpasswd.$salt.$plainpasswd));
    for($i = $len; $i > 0; $i -= 16) { $text .= substr($bin, 0, min(16, $i)); }
    for($i = $len; $i > 0; $i >>= 1) { $text .= ($i & 1) ? chr(0) : $plainpasswd[0]; }
    $bin = pack("H32", md5($text));
    for($i = 0; $i < 1000; $i++){
    $new = ($i & 1) ? $plainpasswd : $bin;
    if ($i % 3) $new .= $salt;
    if ($i % 7) $new .= $plainpasswd;
    $new .= ($i & 1) ? $bin : $plainpasswd;
    $bin = pack("H32", md5($new));
    }
    for ($i = 0; $i < 5; $i++){
    $k = $i + 6;
    $j = $i + 12;
    if ($j == 16) $j = 5;
    $tmp = $bin[$i].$bin[$k].$bin[$j].$tmp;
    }
    $tmp = chr(0).chr(0).$bin[11].$tmp;
    $tmp = strtr(strrev(substr(base64_encode($tmp), 2)),
    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",
    "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
    return "$"."apr1"."$".$salt."$".$tmp;
    }
    function get_htpasswd ($passwdFile, $username){
    $lines = file($passwdFile);
    foreach ($lines as $line){
    $arr = explode(":", $line);
    $fileUsername = $arr[0];
    if ($fileUsername == $username){
    $filePasswd = trim($arr[1]);
    return $filePasswd;
    }
    }
    return false;
    }
    function matches($password, $filePasswd){
    if (strpos($filePasswd, '$apr1') === 0){
    // MD5
    $passParts = explode('$', $filePasswd);
    $salt = $passParts[2];
    $hashed = crypt_apr1_md5($password, $salt);
    return $hashed == $filePasswd;
    }elseif (strpos($filePasswd, '{SHA}') === 0){
    // SHA1
    $hashed = "{SHA}" . base64_encode(sha1($password, TRUE));
    return $hashed == $filePasswd;
    }elseif (strpos($filePasswd, '$2y$') === 0){
    // Bcrypt
    return password_verify ($password, $filePasswd);
    }else{
    // Crypt
    $salt = substr($filePasswd, 0, 2);
    $hashed = crypt($password, $salt);
    return $hashed == $filePasswd;
    }
    return false;
    }
    $handle = fopen('php://stdin', 'r');
    while (!feof($handle)){
    $buffer = fgets($handle);
    $prefix = 'ClientAuthname:';
    if(substr($buffer, 0, strlen($prefix)) == $prefix){
    $username = trim(substr($buffer, strlen($prefix)));
    }
    $prefix = 'ClientPassword:';
    if(substr($buffer, 0, strlen($prefix)) == $prefix){
    $password = trim(substr($buffer, strlen($prefix)));
    }
    }
    fclose($handle);
    $filePasswd = get_htpasswd('/etc/inn/local-user-database', $username); if(matches($password, $filePasswd)){
    echo "User:$username\n";
    exit(0);
    }else{
    echo "ckpasswd: invalid password for user $username\n";
    exit(1);
    }

    """
    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From =?UTF-8?Q?Julien_=C3=89LIE?=@iulius@nom-de-mon-site.com.invalid to news.software.nntp on Fri Feb 27 20:19:36 2026
    From Newsgroup: news.software.nntp

    Hi Roberto,

    I consider bcrypt to be a good level of security for encrypting passwords.

    FWIW, ckpasswd understands other kinds of passwords than htpasswd ones.
    See:
    https://www.eyrie.org/~eagle/software/inn/docs/ckpasswd.html

    where an example of password can be generated with for instance:

    % openssl passwd -5 pass
    $5$UIhtJSBOaC0Ap3Vk$nbKgmykshoQ2HmvA3s/nI.X4uhhNHBKTYhBS3pYLjJ6
    --
    Julien |eLIE

    -2 Une petite fille rentre de l'|-cole :
    rCo Vous connaissez la derni|?re ?
    rCo Non.
    rCo C'est moi ! -+ (Jean Nohain)

    --- Synchronet 3.21b-Linux NewsLink 1.2
  • From Roberto CORRADO@i@secure.corradoroberto.it to news.software.nntp on Fri Feb 27 21:54:34 2026
    From Newsgroup: news.software.nntp

    "Julien |eLIE" wrote:
    FWIW, ckpasswd understands other kinds of passwords than htpasswd ones.
    See:
    https://www.eyrie.org/~eagle/software/inn/docs/ckpasswd.html

    where an example of password can be generated with for instance:

    % openssl passwd -5 pass
    $5$UIhtJSBOaC0Ap3Vk$nbKgmykshoQ2HmvA3s/nI.X4uhhNHBKTYhBS3pYLjJ6
    Hi Julien,
    effectively this is better than bcrypt. I apologize, I didn't know, but the PHP code remains a valid hook for a SQLite database without a flat file.
    I never stop learning something new every day.
    Thank you!
    --
    Roberto
    --- Synchronet 3.21b-Linux NewsLink 1.2