From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e Date: Wed, 05 Oct 2016 11:52:21 +0100 Message-ID: <1475664741.2582.60.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6345617960464479301==" List-Id: --===============6345617960464479301== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, I didn't occur to me that someone will build SHA just like that. Well, you have a point here. However, our version of htpasswd does not have bcrypt: [root(a)ipfire ~]# htpasswd --help Usage: htpasswd [-cmdpsD] passwordfile username htpasswd -b[cmdpsD] passwordfile username password htpasswd -n[mdps] username htpasswd -nb[mdps] username password =C2=A0-c=C2=A0=C2=A0Create a new file. =C2=A0-n=C2=A0=C2=A0Don't update file; display results on stdout. =C2=A0-m=C2=A0=C2=A0Force MD5 encryption of the password (default). =C2=A0-d=C2=A0=C2=A0Force CRYPT encryption of the password. =C2=A0-p=C2=A0=C2=A0Do not encrypt the password (plaintext). =C2=A0-s=C2=A0=C2=A0Force SHA encryption of the password. =C2=A0-b=C2=A0=C2=A0Use the password from the command line rather than prompt= ing for it. =C2=A0-D=C2=A0=C2=A0Delete the specified user. On other systems than Windows, NetWare and TPF the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorit= hm. Could you please investigate why and how we can enable that? I am really tight on time this week but I would like to push out the core upd= ate as soon as possible. Best, -Michael On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote: > Hello Michael, hello List, >=20 > I have a question concerning the commit > #eef9b2529c3cab522dac4f4bcfa1a0075376514e > (http://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommit;h=3Deef9b2529c3cab522= dac4f4bcf > a1a0075376514e). >=20 > It is correct that htpasswd uses the MD5 algorithm as default, which is > not very secure indeed. However, the -s option (which enforces the use > of SHA) is insecure since there is no salt. >=20 > In case IPFire uses the same htpasswd version I use, I'd suggest the > use of bcrypt (option: -B), since it is stronger than both SHA and MD5. >=20 > This issue also appears in the help output of htpasswd: >=20 > twilson(a)fra-03-47-1b:~> htpasswd --help > [...] > =C2=A0-m=C2=A0=C2=A0Force MD5 encryption of the password (default). > =C2=A0-B=C2=A0=C2=A0Force bcrypt encryption of the password (very secure). > =C2=A0-C=C2=A0=C2=A0Set the computing time used for the bcrypt algorithm > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0(higher is more secure but slower, default: 5= , valid: 4 to 31). > =C2=A0-d=C2=A0=C2=A0Force CRYPT encryption of the password (8 chars max, in= secure). > =C2=A0-s=C2=A0=C2=A0Force SHA encryption of the password (insecure). > =C2=A0-p=C2=A0=C2=A0Do not encrypt the password (plaintext, insecure). > [...] > On other systems than Windows and NetWare the '-p' flag will probably not > work. > The SHA algorithm does not use a salt and is less secure than the MD5 > algorithm. > twilson(a)fra-03-47-1b:~> >=20 > If your htpasswd version is somehow patched against this problem, just > ignore my e-mail. :-) >=20 > Best regards, > Timmothy Wilson >=20 --===============6345617960464479301== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlg5TnRsQUFvSkVJQjU4UDl2a0FrSHpVMFAvM3dSMXY4WkdlZkJ2ZE1NY1QvY3hRem8K VG04T0J3enR3d0l4REhaU2hHZVJ2SmJ2aXY3a2YyUmpNVFJ2d1gvQS9ab1R5YnBUSjdiZXcwYko3 YXgydnVaMgpub2NqM25YZ1pnT1ZEWnYrWE1PV2c4ckVkTjc4Y2VkRlF2R3d3ZDB2Y05WZGY4YVNU S0paQ012b2hLU2V2UTBMCjMxN3VEb01MVnB3dzJ3Q3dZYTZ2UWR6SjUxTVFja2ZZU1pBYzcyRzhr UTBFdHBtM2FEWE5jRml6MXphSURLWVUKWEpsV0ZGc2FxOUp1azkwQVJXNnQ4NXNaZW9kMDZqVDJK eTlQQklITlFPbWdCL2ZkeWdYNEd0YVVLSlp0TGQ1NQpick1pU2VweWZPcTVFU1htOUVHVkFnTU5z a3VPZU5mS0RkUGZRNVpsN3M4anlBblhXZzE3UGlOSDFYV215Z3cxCmhMZWpoNE9kZWJrekttUjJC S0pPTUVyTmh6RkM5QXJLSTRXanhMSDBCNHFUNUZPSzNwTnJNZUhOZEIrVUtNS00KaDBNblAxL3c0 YUtjOW10MVRVUTNYcXZab0NGa01sdys0REhYVW1sdkxhaER6UEtEMmgzN1MrSkZiaXcyd2k3OApS SkNIa29UdUY0azBTL0Zwbkh4MkJXT2JmNnpSZGNxMHVQcEpSSmpjN0NFWnVxVmJ6QzB4c3VQNUdX aUtIM0FzCkwxOU9FdGlEb3B5dzNNdng4S21VTUlESmVHRGlydVplUlpJc1orR04rNFVNdXB4YVFK Qm9aaTRRa0lLcm4xSUwKQ2dBYSt3NlBESkdRL1NlRTRkdXViM2dwWEFjOTBZMi82WlhxNXRqVFF3 UCtuMUFUN1RkK2hVWGVnRno3ajU4bQoxd2xGSWIwM2ZVSmJWTmZxRHI5Uwo9a2cyNQotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============6345617960464479301==--