From mboxrd@z Thu Jan 1 00:00:00 1970 From: IT Superhack To: development@lists.ipfire.org Subject: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e Date: Thu, 06 Oct 2016 15:46:00 +0000 Message-ID: <4f6ce86e-eae2-5485-b0be-664da6b05414@web.de> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8306239550549207402==" List-Id: --===============8306239550549207402== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, hello Development-List, here is what I found out so far: There is a Perl implementation of htpasswd, called Apache::Htpasswd, which is used by IPFire. The latest version is 1.9 (dated somewhere back in 2012); newer releases are not available. Today it seems to be more common to use the htpasswd tool provided by the Apache webserver itself. It supports the bcrypt algorithm since version 2.4.4 (source: https://httpd.apache.org/docs/trunk/new_features_2_4.html#prog= rams). A simple test showed that this is true: (1) download the Apache webserver (http://mirrors.m247.ro/apache//httpd/) (2) unpack it (3) run ./configure --prefix=3DSOMEPREFIX (4) run make and wait a few minutes (5) now an executable file can be found at support/htpasswd: make[1]: Leaving directory '/home/twilson/tmp_apache_2.4.23/httpd-2.4.23' twilson(a)fra-03-47-1b:~/tmp_apache_2.4.23/httpd-2.4.23> cd support/ twilson(a)fra-03-47-1b:~/tmp_apache_2.4.23/httpd-2.4.23/support> ./htpasswd=20 Usage: htpasswd [-cimBdpsDv] [-C cost] passwordfile username htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password htpasswd -n[imBdps] [-C cost] username htpasswd -nb[mBdps] [-C cost] username password -c Create a new file. -n Don't update file; display results on stdout. -b Use the password from the command line rather than prompting for it. -i Read password from stdin without verification (for script usage). -m Force MD5 encryption of the password (default). -B Force bcrypt encryption of the password (very secure). -C Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31). -d Force CRYPT encryption of the password (8 chars max, insecure). -s Force SHA encryption of the password (insecure). -p Do not encrypt the password (plaintext, insecure). -D Delete the specified user. -v Verify password for the specified user. On other systems than Windows and NetWare the '-p' flag will probably not wor= k. The SHA algorithm does not use a salt and is less secure than the MD5 algorit= hm. So far, so good, so boring. :-) This, however, would require Apache 2.4.4 or higher. Although I cannot point at them right now, I remember that we had some problems a while ago trying to update to the 2.4.x-branch of Apache. Since my building skills are very poor and I do not have enough spare time at the moment, upgrading and testing Apache is out of question for me. :-( In case somebody else here want to have a closer look at it, I'd suggest: https://httpd.apache.org/docs/current/upgrading.html Until then, Michael, I would ask you to revert the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e. Best regards, Timmothy Wilson Timmothy Wilson: > Hello Michael, >=20 > Michael Tremer: >> Hi, >> >> I didn't occur to me that someone will build SHA just like that. > No problem. :-) >> >> Well, you have a point here. >> >> However, our version of htpasswd does not have bcrypt: >> >> [root(a)ipfire ~]# htpasswd --help >> Usage: >> htpasswd [-cmdpsD] passwordfile username >> htpasswd -b[cmdpsD] passwordfile username password >> >> htpasswd -n[mdps] username >> htpasswd -nb[mdps] username password >> -c Create a new file. >> -n Don't update file; display results on stdout. >> -m Force MD5 encryption of the password (default). >> -d Force CRYPT encryption of the password. >> -p Do not encrypt the password (plaintext). >> -s Force SHA encryption of the password. >> -b Use the password from the command line rather than prompting for it. >> -D Delete the specified user. >> On other systems than Windows, NetWare and TPF the '-p' flag will probably= not >> work. >> The SHA algorithm does not use a salt and is less secure than the MD5 algo= rithm. >=20 > As far as I know at the moment, IPFire uses an outdated version of htpasswd= . On > my system (OpenSuSE 42.1), however, htpasswd is part of the "apache2-utils"= package, which > is already installed in the 2.4-x branch: >=20 > twilson(a)fra-03-47-1b:~> zypper info apache2-utils > Repository-Daten werden geladen... > Installierte Pakete werden gelesen... >=20 >=20 > Informationen zu package apache2-utils: > --------------------------------------- > Repository: openSUSE-Leap-42.1-Update > Name: apache2-utils > Version: 2.4.16-15.1 > Architektur: x86_64 > Hersteller:openSUSE > Installiert: Ja > Status: aktuell > Installationsgr=C3=B6=C3=9Fe: 221,4 KiB > Zusammenfassung:Apache 2 utilities > Beschreibung:=20 > Utilities provided by the Apache 2 Web Server project which are useful > to administrators of web servers in general. >=20 > This difference can also be found when comparing these two links: > https://httpd.apache.org/docs/2.2/programs/htpasswd.html > https://httpd.apache.org/docs/current/programs/htpasswd.html >> >> Could you please investigate why and how we can enable that? > Why: see above. >=20 > At the moment, I am facing trouble trying to update the htpasswd package. T= he LFS > file for this seems to life in > ipfire-2.x/lfs/perl-Apache-Htpasswd. > But there is no external download URL: >=20 > include Config >=20 > VER =3D 1.9 >=20 > THISAPP =3D Apache-Htpasswd-$(VER) > DL_FILE =3D $(THISAPP).tar.gz > DL_FROM =3D $(URL_IPFIRE) > DIR_APP =3D $(DIR_SRC)/$(THISAPP) > TARGET =3D $(DIR_INFO)/$(THISAPP) >=20 > The Wiki documentation to this topic is not helping: "DL_FROM the url where= the archive > can be downloaded from (notice this is a very unusual case where the archive > is in the root directory of the server)." Uh-huh. >=20 > I'll try some more, but I am afraid that it might be weekend or so until I = really > get this working. Sorry. >=20 > Best regards, > Timmothy Wilson >> >> I am really tight on time this week but I would like to push out the core = update >> as soon as possible. >> >> Best, >> -Michael >> >> On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote: >>> Hello Michael, hello List, >>> >>> I have a question concerning the commit >>> #eef9b2529c3cab522dac4f4bcfa1a0075376514e >>> (http://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommit;h=3Deef9b2529c3cab5= 22dac4f4bcf >>> a1a0075376514e). >>> >>> It is correct that htpasswd uses the MD5 algorithm as default, which is >>> not very secure indeed. However, the -s option (which enforces the use >>> of SHA) is insecure since there is no salt. >>> >>> In case IPFire uses the same htpasswd version I use, I'd suggest the >>> use of bcrypt (option: -B), since it is stronger than both SHA and MD5. >>> >>> This issue also appears in the help output of htpasswd: >>> >>> twilson(a)fra-03-47-1b:~> htpasswd --help >>> [...] >>> -m Force MD5 encryption of the password (default). >>> -B Force bcrypt encryption of the password (very secure). >>> -C Set the computing time used for the bcrypt algorithm >>> (higher is more secure but slower, default: 5, valid: 4 to 31). >>> -d Force CRYPT encryption of the password (8 chars max, insecure). >>> -s Force SHA encryption of the password (insecure). >>> -p Do not encrypt the password (plaintext, insecure). >>> [...] >>> On other systems than Windows and NetWare the '-p' flag will probably not >>> work. >>> The SHA algorithm does not use a salt and is less secure than the MD5 >>> algorithm. >>> twilson(a)fra-03-47-1b:~> >>> >>> If your htpasswd version is somehow patched against this problem, just >>> ignore my e-mail. :-) >>> >>> Best regards, >>> Timmothy Wilson >=20 >=20 --===============8306239550549207402== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRRWNCQUVCQ2dBR0JRSlg5bkhOQUFvSkVP eUxhMUM1RWF6cjZLZ0gvMXFZcHZ3dWt2eE04SURuS0hrQTVmekIKOWR5L2YxWjZmWFVYWmU3Q0Rz ZlBRRVNpbjlnNHBKUnRXREdrOEI5eHpOajBJcUhsSVRvNVVYWXZSQ21GcTRwcQp3ZWhhK3dyK1Ay TW1IU0FnRjVEUHUweUhRR3QvOWwvSlpJVXh4OWluTzJTLzEyUjZUNGczeStwWnh1Q0Q5K1VCCk1l bTczQVJDNXN6OTYrTnJlQXBZeHA2RU03RVkwaWMxazFGYlZvLzNiNWh6WDJTR3JqZVFpMXphSWVn bHY5RlIKRWYybDNRZVFtZG94Y0pkMDJscVM4RllCRGp4cjZZU3kydDVvVENJQy94U3dtZTNYdjhz OHBJT0R0Tk9RY1htRQp0WFVHRlhjN3FwVDk3d2F0dUhjVFFrSUQxTndoaUlOYjFKR3hKaTVCKzZP Qzl2RkhPZ3ZBM2toTXkvSnZHa1U9Cj1xdGJpCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============8306239550549207402==--