From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: htpasswd: message digest algorithm
Date: Sun, 23 Oct 2016 19:10:35 +0100 [thread overview]
Message-ID: <1477246235.9760.16.camel@ipfire.org> (raw)
In-Reply-To: <06a96e4b-e383-636c-c0b0-284d033b3510@web.de>
[-- Attachment #1: Type: text/plain, Size: 2289 bytes --]
Hi,
On Sun, 2016-10-23 at 14:21 +0000, IT Superhack wrote:
> Hello Michael,
>
> sorry for the late reply.
>
> Michael Tremer:
> >
> > Hi,
> >
> > On Sat, 2016-10-15 at 08:16 +0000, IT Superhack wrote:
> > >
> > > Hello Michael,
> > > hello Development-List (in CC),
> > >
> > > sorry for rehashing the issue: At 2016-10-06 I summarized
> > > my findings about htpasswd and its lack of bcrypt. Unfortunately,
> > > the bcrypt message digest algorithm is only available in
> > > the htpasswd version provided by the Apache Web Server (version
> > > 2.4.4 or later).
> > >
> > > Since it uses SHA *without any salt*, it seems to be more
> > > secure in my point of view to use the MD5 method instead, where
> > > a salt is used.
> >
> > I agree with this. Although not optimal, this is probably the option with
> > better
> > security (assuming to BF against rainbow table).
> I'm afraid, yes.
> >
> >
> > I added some more details to the commit message:
> > http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=96473f525dcec4115b9
> > bab0b305ff5b92194b134
> >
> > >
> > > Thereof I kindly ask you to revert the commit
> > > #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes
> > > were introduced. I know the developers are busy because of
> > > Core Update 106, and it can always happen that something slips
> > > through the fingers. :-)
> > >
> > > Thanks and best regards,
> > > Timmothy Wilson
> >
> > Thanks for making me reconsider this.
> You're welcome.
>
> Could you please correct the release announcement of the 106 beta version,
> too? It says
> in the "misc" section that the hash algorithm has been changed. I guess it is
> an
> older version.
This is actually referring to this commit:
http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=da314725051fe0ebf56fd9d28dae78ab7406c6f4
I removed the "admin" part which never should have been mentioned.
> >
> >
> > However, I would be happy to receive any patches that add support for bcrypt
> > to
> > *actually* fix this.
> As I said, this depends on Apache, which is a bigger task (and probably
> way too big for me). Sorry.
> >
> >
> > Best,
> > -Michael
> >
> Best regards,
> Timmothy Wilson
-Michael
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
prev parent reply other threads:[~2016-10-23 18:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-15 8:16 htpasswd: message digest algorithm (was: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e) IT Superhack
2016-10-15 21:48 ` Michael Tremer
2016-10-23 14:21 ` htpasswd: message digest algorithm IT Superhack
2016-10-23 18:10 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1477246235.9760.16.camel@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox