Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e

[IT Superhack <itsuperhack@web.de>]

[-- Attachment #1: Type: text/plain, Size: 7568 bytes --]

Hello Michael, hello Development-List,

here is what I found out so far:

There is a Perl implementation of htpasswd, called Apache::Htpasswd, which
is used by IPFire. The latest version is 1.9 (dated somewhere back in 2012);
newer releases are not available.

Today it seems to be more common to use the htpasswd tool provided by the
Apache webserver itself. It supports the bcrypt algorithm since version
2.4.4 (source: https://httpd.apache.org/docs/trunk/new_features_2_4.html#programs).

A simple test showed that this is true:
(1) download the Apache webserver (http://mirrors.m247.ro/apache//httpd/)
(2) unpack it
(3) run ./configure --prefix=SOMEPREFIX
(4) run make and wait a few minutes
(5) now an executable file can be found at support/htpasswd:

make[1]: Leaving directory '/home/twilson/tmp_apache_2.4.23/httpd-2.4.23'
twilson(a)fra-03-47-1b:~/tmp_apache_2.4.23/httpd-2.4.23> cd support/
twilson(a)fra-03-47-1b:~/tmp_apache_2.4.23/httpd-2.4.23/support> ./htpasswd 
Usage:
	htpasswd [-cimBdpsDv] [-C cost] passwordfile username
	htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password

	htpasswd -n[imBdps] [-C cost] username
	htpasswd -nb[mBdps] [-C cost] username password
 -c  Create a new file.
 -n  Don't update file; display results on stdout.
 -b  Use the password from the command line rather than prompting for it.
 -i  Read password from stdin without verification (for script usage).
 -m  Force MD5 encryption of the password (default).
 -B  Force bcrypt encryption of the password (very secure).
 -C  Set the computing time used for the bcrypt algorithm
     (higher is more secure but slower, default: 5, valid: 4 to 31).
 -d  Force CRYPT encryption of the password (8 chars max, insecure).
 -s  Force SHA encryption of the password (insecure).
 -p  Do not encrypt the password (plaintext, insecure).
 -D  Delete the specified user.
 -v  Verify password for the specified user.
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.

So far, so good, so boring. :-)

This, however, would require Apache 2.4.4 or higher. Although I cannot
point at them right now, I remember that we had some problems a while ago
trying to update to the 2.4.x-branch of Apache.

Since my building skills are very poor and I do not have enough spare time at
the moment, upgrading and testing Apache is out of question for me. :-(

In case somebody else here want to have a closer look at it, I'd suggest:
https://httpd.apache.org/docs/current/upgrading.html

Until then, Michael, I would ask you to revert the commit
#eef9b2529c3cab522dac4f4bcfa1a0075376514e.

Best regards,
Timmothy Wilson
Timmothy Wilson:
> Hello Michael,
> 
> Michael Tremer:
>> Hi,
>>
>> I didn't occur to me that someone will build SHA just like that.
> No problem. :-)
>>
>> Well, you have a point here.
>>
>> However, our version of htpasswd does not have bcrypt:
>>
>> [root(a)ipfire ~]# htpasswd --help
>> Usage:
>> 	htpasswd [-cmdpsD] passwordfile username
>> 	htpasswd -b[cmdpsD] passwordfile username password
>>
>> 	htpasswd -n[mdps] username
>> 	htpasswd -nb[mdps] username password
>>  -c  Create a new file.
>>  -n  Don't update file; display results on stdout.
>>  -m  Force MD5 encryption of the password (default).
>>  -d  Force CRYPT encryption of the password.
>>  -p  Do not encrypt the password (plaintext).
>>  -s  Force SHA encryption of the password.
>>  -b  Use the password from the command line rather than prompting for it.
>>  -D  Delete the specified user.
>> On other systems than Windows, NetWare and TPF the '-p' flag will probably not
>> work.
>> The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
> 
> As far as I know at the moment, IPFire uses an outdated version of htpasswd. On
> my system (OpenSuSE 42.1), however, htpasswd is part of the "apache2-utils" package, which
> is already installed in the 2.4-x branch:
> 
> twilson(a)fra-03-47-1b:~> zypper info apache2-utils
> Repository-Daten werden geladen...
> Installierte Pakete werden gelesen...
> 
> 
> Informationen zu package apache2-utils:
> ---------------------------------------
> Repository: openSUSE-Leap-42.1-Update
> Name: apache2-utils
> Version: 2.4.16-15.1
> Architektur: x86_64
> Hersteller:openSUSE
> Installiert: Ja
> Status: aktuell
> Installationsgröße: 221,4 KiB
> Zusammenfassung:Apache 2 utilities
> Beschreibung: 
>   Utilities provided by the Apache 2 Web Server project which are useful
>   to administrators of web servers in general.
> 
> This difference can also be found when comparing these two links:
> https://httpd.apache.org/docs/2.2/programs/htpasswd.html
> https://httpd.apache.org/docs/current/programs/htpasswd.html
>>
>> Could you please investigate why and how we can enable that?
> Why: see above.
> 
> At the moment, I am facing trouble trying to update the htpasswd package. The LFS
> file for this seems to life in
> 	ipfire-2.x/lfs/perl-Apache-Htpasswd.
> But there is no external download URL:
> 
> include Config
> 
> VER        = 1.9
> 
> THISAPP    = Apache-Htpasswd-$(VER)
> DL_FILE    = $(THISAPP).tar.gz
> DL_FROM    = $(URL_IPFIRE)
> DIR_APP    = $(DIR_SRC)/$(THISAPP)
> TARGET     = $(DIR_INFO)/$(THISAPP)
> 
> The Wiki documentation to this topic is not helping: "DL_FROM the url where the archive
> can be downloaded from (notice this is a very unusual case where the archive
> is in the root directory of the server)." Uh-huh.
> 
> I'll try some more, but I am afraid that it might be weekend or so until I really
> get this working. Sorry.
> 
> Best regards,
> Timmothy Wilson
>>
>> I am really tight on time this week but I would like to push out the core update
>> as soon as possible.
>>
>> Best,
>> -Michael
>>
>> On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote:
>>> Hello Michael, hello List,
>>>
>>> I have a question concerning the commit
>>> #eef9b2529c3cab522dac4f4bcfa1a0075376514e
>>> (http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=eef9b2529c3cab522dac4f4bcf
>>> a1a0075376514e).
>>>
>>> It is correct that htpasswd uses the MD5 algorithm as default, which is
>>> not very secure indeed. However, the -s option (which enforces the use
>>> of SHA) is insecure since there is no salt.
>>>
>>> In case IPFire uses the same htpasswd version I use, I'd suggest the
>>> use of bcrypt (option: -B), since it is stronger than both SHA and MD5.
>>>
>>> This issue also appears in the help output of htpasswd:
>>>
>>> twilson(a)fra-03-47-1b:~> htpasswd --help
>>> [...]
>>>  -m  Force MD5 encryption of the password (default).
>>>  -B  Force bcrypt encryption of the password (very secure).
>>>  -C  Set the computing time used for the bcrypt algorithm
>>>      (higher is more secure but slower, default: 5, valid: 4 to 31).
>>>  -d  Force CRYPT encryption of the password (8 chars max, insecure).
>>>  -s  Force SHA encryption of the password (insecure).
>>>  -p  Do not encrypt the password (plaintext, insecure).
>>> [...]
>>> On other systems than Windows and NetWare the '-p' flag will probably not
>>> work.
>>> The SHA algorithm does not use a salt and is less secure than the MD5
>>> algorithm.
>>> twilson(a)fra-03-47-1b:~>
>>>
>>> If your htpasswd version is somehow patched against this problem, just
>>> ignore my e-mail. :-)
>>>
>>> Best regards,
>>> Timmothy Wilson
> 
> 



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]