Archive | May, 2008

mod_auth_mysql and phpass

19 May

With the release of WordPress 2.5, there were some significant changes to the way passwords were stored in the database.  Prior to 2.5, passwords were stored as MD5 hashes.  While simple and easy, there were some security implications, so since 2.5, passwords are now salted and hashed using the phpass encryption library.  At Automattic we like to keep things simple, so we use the WordPress and bbPress user system for external authentication for things such as Trac and Subversion.  This allows us an effective and simple single sign on (SSO) solution for almost everything we do.  Unfortunately, the existing mod_auth_mysql apache module did not have support for the new password format.

Thanks to Nikolay, we now have the best of both worlds.  He has patched mod_auth_mysql to support phpass.  This means you can now have plug and play authentication against your WordPress blog or bbPress forum almost anywhere you can think of.  The patch allows automatic fallback to MD5 in case the user has not yet logged into WordPress and their password is still stored in the old format.  

Once the new module is loaded, you will just need to replace the following line in your apache configuration file.

OLD:AuthMySQLPwEncryption md5
NEW:AuthMySQLPwEncryption phpass

You can download the patched version here. It has been tested with Apache 2.2.3 and MySQL 4.1/5.0

%d bloggers like this: