From mboxrd@z Thu Jan 1 00:00:00 1970 From: IT Superhack To: development@lists.ipfire.org Subject: Re: htpasswd: message digest algorithm Date: Sun, 23 Oct 2016 14:21:00 +0000 Message-ID: <06a96e4b-e383-636c-c0b0-284d033b3510@web.de> In-Reply-To: <1476568139.9950.54.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1741920676630341080==" List-Id: --===============1741920676630341080== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, sorry for the late reply. Michael Tremer: > Hi, >=20 > On Sat, 2016-10-15 at 08:16 +0000, IT Superhack wrote: >> Hello Michael, >> hello Development-List (in CC), >> >> sorry for rehashing the issue: At 2016-10-06 I summarized >> my findings about htpasswd and its lack of bcrypt. Unfortunately, >> the bcrypt message digest algorithm is only available in >> the htpasswd version provided by the Apache Web Server (version >> 2.4.4 or later). >> >> Since it uses SHA *without any salt*, it seems to be more >> secure in my point of view to use the MD5 method instead, where >> a salt is used. >=20 > I agree with this. Although not optimal, this is probably the option with b= etter > security (assuming to BF against rainbow table). I'm afraid, yes. >=20 > I added some more details to the commit message: > http://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D96473f525dce= c4115b9bab0b305ff5b92194b134 >=20 >> Thereof I kindly ask you to revert the commit >> #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes >> were introduced. I know the developers are busy because of >> Core Update 106, and it can always happen that something slips >> through the fingers. :-) >> >> Thanks and best regards, >> Timmothy Wilson >=20 > Thanks for making me reconsider this. You're welcome. Could you please correct the release announcement of the 106 beta version, to= o? It says in the "misc" section that the hash algorithm has been changed. I guess it is= an older version. >=20 > However, I would be happy to receive any patches that add support for bcryp= t to > *actually* fix this. As I said, this depends on Apache, which is a bigger task (and probably way too big for me). Sorry. >=20 > Best, > -Michael >=20 Best regards, Timmothy Wilson --===============1741920676630341080== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRRWNCQUVCQ2dBR0JRSllETWRpQUFvSkVP eUxhMUM1RWF6clgvQUlBS1gxMEZqaXVjaGo4RTFYZDdMMnBBNmEKcHJlaVpnSkhwMjBJRVZLZ1JN eUwrWHZrZlFZNzRzaXdQNU9kUjg0QXpxT0xhWkdNS05ISGxFVnZmajFTdmNLRwp0L2FES3pTdlM0 M2drNllucGIwYUZBSVovUlp1MkhrNjY5ZU1qK1UvVGlHNHFQYWpjS0ZOQTRiSjI1amNEMEV1CjVE dHlKYXNEbWwydG5EL1VTdFpZbm1HWmFadHI3Z3AyYjJoNUJCRGVtSEJhSUU2L0ZPTlNCZ0xEWFBo VVM2cHIKaUowTVRMRGdzdnloV2FSWHN2bWQycm9MZTZnL1FPdWpoaTJ0ektvZ1lwMDFmQ2IyYVRl bjJBVzRYNGJPOE5QSwpURWttZUtjM2p1MkFLMG1XOUI1dGFmMlkxekJYUnVxc0I0bXUvUWJqRHVo dXlwZXNXTHdTd1N5UFhZdFJNZHc9Cj1taWIxCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============1741920676630341080==--