From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: htpasswd: message digest algorithm Date: Sun, 23 Oct 2016 19:10:35 +0100 Message-ID: <1477246235.9760.16.camel@ipfire.org> In-Reply-To: <06a96e4b-e383-636c-c0b0-284d033b3510@web.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3753223441205072512==" List-Id: --===============3753223441205072512== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Sun, 2016-10-23 at 14:21 +0000, IT Superhack wrote: > Hello Michael, >=20 > sorry for the late reply. >=20 > Michael Tremer: > >=20 > > Hi, > >=20 > > On Sat, 2016-10-15 at 08:16 +0000, IT Superhack wrote: > > >=20 > > > Hello Michael, > > > hello Development-List (in CC), > > >=20 > > > sorry for rehashing the issue: At 2016-10-06 I summarized > > > my findings about htpasswd and its lack of bcrypt. Unfortunately, > > > the bcrypt message digest algorithm is only available in > > > the htpasswd version provided by the Apache Web Server (version > > > 2.4.4 or later). > > >=20 > > > Since it uses SHA *without any salt*, it seems to be more > > > secure in my point of view to use the MD5 method instead, where > > > a salt is used. > >=20 > > I agree with this. Although not optimal, this is probably the option with > > better > > security (assuming to BF against rainbow table). > I'm afraid, yes. > >=20 > >=20 > > I added some more details to the commit message: > > =C2=A0 http://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D96473= f525dcec4115b9 > > bab0b305ff5b92194b134 > >=20 > > >=20 > > > Thereof I kindly ask you to revert the commit > > > #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes > > > were introduced. I know the developers are busy because of > > > Core Update 106, and it can always happen that something slips > > > through the fingers. :-) > > >=20 > > > Thanks and best regards, > > > Timmothy Wilson > >=20 > > Thanks for making me reconsider this. > You're welcome. >=20 > Could you please correct the release announcement of the 106 beta version, > too? It says > in the "misc" section that the hash algorithm has been changed. I guess it = is > an > older version. This is actually referring to this commit: http://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3Dda314725051fe0= ebf56fd9d28dae78ab7406c6f4 I removed the "admin" part which never should have been mentioned. > >=20 > >=20 > > However, I would be happy to receive any patches that add support for bcr= ypt > > to > > *actually* fix this. > As I said, this depends on Apache, which is a bigger task (and probably > way too big for me). Sorry. > >=20 > >=20 > > Best, > > -Michael > >=20 > Best regards, > Timmothy Wilson -Michael --===============3753223441205072512== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSllEUDBiQUFvSkVJQjU4UDl2a0FrSDhuOFAvMi9kUVFEZ2FGSFVsbUhsUDk1bXI4V3AK QWxEY0dhN2Vyc0wwbWJmTjRXaERvTEVsUGJVczhqazdzOGlUODRERCt4MWVEYjBOaElLTWxEYkJN OGpuV25vVwpBUFA3YzZGTEFWc0ZkaXRMTTlyZFhuTEZ0Y2I2QVo0VDFiMXJpUkxYU3NpWG9wN3Ri NVJhQlZVNUZTS21VclB4CnNVR2VBSWxmRlBOUWc2WGtzVmNxYktXak9lN1dhOE5CQlE1K0d5ai9r dVFsV0pwdjhvOXRQTW0rdExTSXZDZ1QKOHl1Ri8vYnJJYkFYNFplTXFoU21kMVlRNGoyWUszVkpO NVg5eUUxSW03Uk9CTFRYeVJiTXVaZWEyNXBkenJ3RwpiWXNiaEJad0ZZTU9WNHcrRzExZzFlWkRJ S1JSbTR0ZGRyNXAxekY4di90QlUzVDRzWmlINDNFbHY0QmRLc0t0Cjk4Uk9ReEg5cE1sQ09mMnJ5 WEVmODhkZUdRK2QwOEFEU0t2ZGNuYnduazU1MXpSRzBiUHhJdUNMM1M4d3U3UDEKN0cyaGNiQ1NZ NDIzaUE4bWQvWC8rakNLVnpYc2lNdWJBVEY1cm82SE9HVXNDc0JjS0lqTlVUVjE0RWVRa0I3bApJ RFV0TUc3RGVjV2Yray9WWUZETnlZVVQrTDFwbzREcGlSRTJVYmd0cTFmbFRZUHRyRld6RkQ0cml4 NG16VThMCkwwem55d1JtYnVlNE9QZitWeHhIQ3k0cU1Mc25tdDR2VXhVaGRDaCtpZFd1Q1lFYkU0 bHhmT1NRL1pjK21wN3IKbEdld05nZnFPOS82Z2wxdGJsV2I2OUJKR2g0a1lzeVdzc1BscE9OakVs KzVueHdsZjg1aXhtajRDc0VuQXJhVwpPQStDMTFvVlU5RWZiRXV5NEdrUAo9enZOUgotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============3753223441205072512==--