passlib.apache.HtpasswdFile generates bcrypt hashes that aren't compatible with htpasswd

Issue #95 new
Lie Ryan created an issue

passlib generates htpasswd with the $2b$ scheme:

$ python -c 'from passlib.apache import HtpasswdFile; pf = HtpasswdFile(default_scheme="portable"); pf.set_password("user", "test"); print pf.to_string()' | tee passfile
user:$2b$12$RrmjkD24nd8H3z/sEOTeVO58G543CJqlc.M0FDKAemK6a.jjMeFyu

However, htpasswd fails verifying these hashes:

$ htpasswd -b -v passfile user test
password verification failed

This is because htpasswd expects bcrypt to use the $2y$ scheme. Simply replacing $2b$ with $2y$ produces a usable htpasswd file:

$ sed -i -e 's/\$2b\$/$2y$/' passfile
$ htpasswd -b -v passfile user test
Password for user user correct.

Expected behavior: passlib.apache.HtpasswdFile should generate a htpasswd-compatible password files.

Version info:

$ apache2 -v
Server version: Apache/2.4.25 (Ubuntu)
Server built:   2017-07-27T14:32:31

$ pip freeze | grep passlib
passlib==1.7.1

Comments (4)

  1. Eli Collins repo owner

    Thanks for catching this!

    I'll try and work up some UTs that actually run things through htpasswd so this doesn't reoccur.

  2. Log in to comment