Have you succeeded in using mod_auth_mysql with AES crypt?
Posted by ImageLogic, 02-09-2011, 10:04 PM If you've been fortunate enough to have made AES encryption work with mod_auth_mysql would you be so kind as to share two things: 1) Your httpd.conf settings; and, 2) How you encrypted the password. I can get it to work just fine with passwords stored in plain text, but prudence dictates a more secure storage such as offered by AES encryption. Unfortunately, when I use the "AuthMySQLPwEncryption aes" directive on an AES encrypted password stored in the database, instead of "AuthMySQLPwEncryption none" on a plain text password stored in the database, the mod_auth_mysql challenge upon browsing a protected directory will not accept the ID & password. Regards, Aza D. Oberman
Posted by YUPAPA, 02-10-2011, 10:12 PM Did you build mod_auth_mysql with AES supported?
Posted by ImageLogic, 02-13-2011, 04:52 PM Well, it turns out that RPM or YUM installations of mod_auth_mysql 3.0.0 do *MOT* incorporate AES support (contrary to the "news" statements). Each installation errors with "mysql invalid encryption method aes" then a sign-in is attempted. MySQL AES_ENCRYPT and AES_ENCRYPT are working fine. This indicates that the MySQL AES support is in place and working. Manually compiling and installing mod_auth_mysgl is possible, but it looks like one has to hack the "C" code to use APR_OFFSETOF instead of APR_XtOffsetOf. The compile and install from that point forward are uneventful. Unfortunately, the compile and install wasn't able to link properly with the MySQL lib. Even with an explicit library path my_aes_encrypt()would not link in. my_aes_encrypt() is the underlieing function used by MySQL's AES_CRYPT which works just fine. Not that I am somehow the pinnacle of doing installations under CENTOS, but I've reluctantly concluded that mod_auth_mysgl simply can't handle a robust secure password encryption technique like AES. It's fine with plain text and perhaps with some unfortunately more vulnerable encryption techniques, but it can't run with the big dogs any more. Sad to see such a promising tool begin to fade. Thanks to all of you for your suggestions and generous help. Regards, Aza