Barry on WordPress

mod_auth_mysql and phpass

With the release of WordPress 2.5, there were some significant changes to the way passwords were stored in the database.  Prior to 2.5, passwords were stored as MD5 hashes.  While simple and easy, there were some security implications, so since 2.5, passwords are now salted and hashed using the phpass encryption library.  At Automattic we like to keep things simple, so we use the WordPress and bbPress user system for external authentication for things such as Trac and Subversion.  This allows us an effective and simple single sign on (SSO) solution for almost everything we do.  Unfortunately, the existing mod_auth_mysql apache module did not have support for the new password format.

Thanks to Nikolay, we now have the best of both worlds.  He has patched mod_auth_mysql to support phpass.  This means you can now have plug and play authentication against your WordPress blog or bbPress forum almost anywhere you can think of.  The patch allows automatic fallback to MD5 in case the user has not yet logged into WordPress and their password is still stored in the old format.  

Once the new module is loaded, you will just need to replace the following line in your apache configuration file.

OLD:AuthMySQLPwEncryption md5
NEW:AuthMySQLPwEncryption phpass

You can download the patched version here. It has been tested with Apache 2.2.3 and MySQL 4.1/5.0

Barry

27 responses to “mod_auth_mysql and phpass”

  1. Ma.tt » WordPress + mod_auth_mysql Avatar
    Ma.tt » WordPress + mod_auth_mysql

    […] mod_auth_mysql and phpass […]

    Reply
  2. Beau Avatar
    Beau

    2 words: bad ass.

    Reply
  3. James Avatar
    James

    I wrote the patch that added phpass to WordPress and this is pretty cool news. Always good to see more support.

    Reply
  4. JERSEY-BARKER » Blog Archive » Matt: WordPress + mod_auth_mysql

    […] mod_auth_mysql and phpass, a new patch that allows Apache authentication (for Subversion, Trac, enterprise integration systems) to work with the new WordPress secure password storage. Powered by Bookmarkify™ Tags: word press […]

    Reply
  5. Oyvind Avatar
    Oyvind

    Nice, I was just thinking about how to integrate Trac/SVN/BBpress/Wordpress on one site. Having a single sign on will be a killer feature for this setup.

    Do you have a short howto or description of how this is configured for the different components?

    Reply
  6. chewy22222003 Avatar
    chewy22222003

    Is there also a patch for Nginx, or will it use the Apache mod_auth_mysql module?

    Reply
  7. Dave Coveney Avatar
    Dave Coveney

    Damn – another thing to play with instead of doing the work I’m supposed to be doing!

    Reply
  8. WordPress Wednesday News: WordCamps Everywhere, Apache Patch for Securer Passwords, WordPress Plugin Contest, and More WordPress News : The Blog Herald

    […] Patch: Barry Abramson writes about mod_auth_mysql and phpass, a new patch for Apache authentication which works with the new WordPress secure password storage […]

    Reply
  9. WordPress Wednesday News: WordCamps Everywhere, Apache Patch for Securer Passwords, WordPress Plugin Contest, and More WordPress News | Writing & Blogging Info

    […] Patch: Barry Abramson writes about mod_auth_mysql and phpass, a new patch for Apache authentication which works with the new WordPress secure password storage […]

    Reply
  10. Scott Jarkoff :: mod_auth_mysql and phpass

    […] mod_auth_mysql and phpass Keep things simple with WordPress and bbPress by using a simple single sign on (SSO) solution which authenticates users against the WordPress user system. This updated mod_auth_mysql apache module has support for the new WordPress password format. […]

    Reply
  11. trance Avatar
    trance

    interestingly!

    Reply
  12. WordPress Wednesday News: WordPress 5 Years Old, WordCamps International, WordPress 2.6 On Track, Plugin Competition is Hot, Genko Updated : The Blog Herald

    […] Secure Storage: Barry Abramson writes about mod_auth_mysql and phpass, a new patch for Apache authentication which works with the new WordPress secure password storage […]

    Reply
  13. Colin Charles Agenda » Blog Archive » mod_auth_mysql patched to work with phpass

    […] so, the nice folk at Automattic (makers of fine blogging software like WordPress) have released a patched version that works with […]

    Reply
  14. J’s blog » Blog Archive » Catching up again…

    […] mod_auth_mysql and phpass « Barry on WordPress […]

    Reply
  15. Jud Avatar
    Jud

    This is awesome indeed — how about a Win32 build?

    Reply
  16. space man Avatar
    space man

    Always good to see more support:)thanks for info:)

    Reply
  17. IgoruS Avatar
    IgoruS

    Hi.
    Interesting article.
    Thank you
    And how to subscribe to RSS?

    Reply
  18. serfman Avatar
    serfman

    Is there also a patch for Nginx, or will it use the Apache mod_auth_mysql module?

    Reply
  19. Alex Avatar
    Alex

    very interesting
    thanx

    Reply
  20. Joe Jacobs Avatar
    Joe Jacobs

    is it possible to use this with litespeed? you guys use litespeed right?

    Reply
  21. Barry Avatar
    Barry

    Unfortunately not possible at this time. We are working on Nginx integration now. Once its complete, I will announce it on my blog. We are moving away from Litespeed.

    Reply
  22. amfetamin Avatar
    amfetamin

    тук тук, кто по русски понимать?
    how can i “make” this patched mod auth mysql on freebsd 7.1 ? Im not strong in code && english too =(
    mb u make an bsd port? it will be nice =)

    Reply
  23. Magoo – Authenticating svn and trac with wordpress

    […] could be exploited. Searching around some more I found the awesome work of Nikolay. given out on Barry’s blog, and explaining the install process.  Nikolay made an apache module to compile that added in […]

    Reply
  24. Rohan Kapoor Avatar
    Rohan Kapoor

    Hi. I’m trying to get this to work on wordpress mu 2.8.4 and CENTOS 5.3. The module won’t compile. Can you help?

    Reply
    1. Diego Avatar
      Diego

      Rohan, did you finally get it working?

      Reply
  25. karachoooo Avatar
    karachoooo

    Upstream?

    Reply
  26. Diego Avatar
    Diego

    Barry,I´m newbie on this topics. I tried to install it on Centos 6.6 and after running the command “apxs -c -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c” I get the following:

    /usr/lib64/apr-1/build/libtool –silent –mode=compile gcc -prefer-pic -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m64 -mtune=generic -Wformat-security -fno-strict-aliasing -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/httpd -I/usr/include/apr-1 -I/usr/include/apr-1 -I/usr/include/mysql -c -o mod_auth_mysql.lo mod_auth_mysql.c && touch mod_auth_mysql.slo
    mod_auth_mysql.c:591: aviso: declaración implícita de la función ‘APR_XtOffsetOf’
    mod_auth_mysql.c:591: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:595: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:599: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:603: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:607: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:611: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:615: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:619: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:623: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:627: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:631: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:635: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:639: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:643: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:651: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:655: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:659: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:663: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:667: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c:671: error: expected expression before ‘mysql_auth_config_rec’
    mod_auth_mysql.c: En la función ‘str_format’:
    mod_auth_mysql.c:891: aviso: el formato ‘%d’ espera el tipo ‘int’, pero el argumento 7 es de tipo ‘long int’
    mod_auth_mysql.c: En la función ‘format_request’:
    mod_auth_mysql.c:940: aviso: declaración implícita de la función ‘ap_pstrcat’
    mod_auth_mysql.c:947: aviso: los tipos de datos punteros/enteros no coinciden en la expresión condicional
    apxs:Error: Command failed with rc=65536

    Any help?

    Thanks in advance

    Diego

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: