* htpasswd: message digest algorithm (was: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e) @ 2016-10-15 8:16 IT Superhack 2016-10-15 21:48 ` Michael Tremer 0 siblings, 1 reply; 4+ messages in thread From: IT Superhack @ 2016-10-15 8:16 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 749 bytes --] Hello Michael, hello Development-List (in CC), sorry for rehashing the issue: At 2016-10-06 I summarized my findings about htpasswd and its lack of bcrypt. Unfortunately, the bcrypt message digest algorithm is only available in the htpasswd version provided by the Apache Web Server (version 2.4.4 or later). Since it uses SHA *without any salt*, it seems to be more secure in my point of view to use the MD5 method instead, where a salt is used. Thereof I kindly ask you to revert the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes were introduced. I know the developers are busy because of Core Update 106, and it can always happen that something slips through the fingers. :-) Thanks and best regards, Timmothy Wilson [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 455 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: htpasswd: message digest algorithm (was: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e) 2016-10-15 8:16 htpasswd: message digest algorithm (was: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e) IT Superhack @ 2016-10-15 21:48 ` Michael Tremer 2016-10-23 14:21 ` htpasswd: message digest algorithm IT Superhack 0 siblings, 1 reply; 4+ messages in thread From: Michael Tremer @ 2016-10-15 21:48 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1324 bytes --] Hi, On Sat, 2016-10-15 at 08:16 +0000, IT Superhack wrote: > Hello Michael, > hello Development-List (in CC), > > sorry for rehashing the issue: At 2016-10-06 I summarized > my findings about htpasswd and its lack of bcrypt. Unfortunately, > the bcrypt message digest algorithm is only available in > the htpasswd version provided by the Apache Web Server (version > 2.4.4 or later). > > Since it uses SHA *without any salt*, it seems to be more > secure in my point of view to use the MD5 method instead, where > a salt is used. I agree with this. Although not optimal, this is probably the option with better security (assuming to BF against rainbow table). I added some more details to the commit message: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=96473f525dcec4115b9bab0b305ff5b92194b134 > Thereof I kindly ask you to revert the commit > #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes > were introduced. I know the developers are busy because of > Core Update 106, and it can always happen that something slips > through the fingers. :-) > > Thanks and best regards, > Timmothy Wilson Thanks for making me reconsider this. However, I would be happy to receive any patches that add support for bcrypt to *actually* fix this. Best, -Michael [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: htpasswd: message digest algorithm 2016-10-15 21:48 ` Michael Tremer @ 2016-10-23 14:21 ` IT Superhack 2016-10-23 18:10 ` Michael Tremer 0 siblings, 1 reply; 4+ messages in thread From: IT Superhack @ 2016-10-23 14:21 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1805 bytes --] Hello Michael, sorry for the late reply. Michael Tremer: > Hi, > > On Sat, 2016-10-15 at 08:16 +0000, IT Superhack wrote: >> Hello Michael, >> hello Development-List (in CC), >> >> sorry for rehashing the issue: At 2016-10-06 I summarized >> my findings about htpasswd and its lack of bcrypt. Unfortunately, >> the bcrypt message digest algorithm is only available in >> the htpasswd version provided by the Apache Web Server (version >> 2.4.4 or later). >> >> Since it uses SHA *without any salt*, it seems to be more >> secure in my point of view to use the MD5 method instead, where >> a salt is used. > > I agree with this. Although not optimal, this is probably the option with better > security (assuming to BF against rainbow table). I'm afraid, yes. > > I added some more details to the commit message: > http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=96473f525dcec4115b9bab0b305ff5b92194b134 > >> Thereof I kindly ask you to revert the commit >> #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes >> were introduced. I know the developers are busy because of >> Core Update 106, and it can always happen that something slips >> through the fingers. :-) >> >> Thanks and best regards, >> Timmothy Wilson > > Thanks for making me reconsider this. You're welcome. Could you please correct the release announcement of the 106 beta version, too? It says in the "misc" section that the hash algorithm has been changed. I guess it is an older version. > > However, I would be happy to receive any patches that add support for bcrypt to > *actually* fix this. As I said, this depends on Apache, which is a bigger task (and probably way too big for me). Sorry. > > Best, > -Michael > Best regards, Timmothy Wilson [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 455 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: htpasswd: message digest algorithm 2016-10-23 14:21 ` htpasswd: message digest algorithm IT Superhack @ 2016-10-23 18:10 ` Michael Tremer 0 siblings, 0 replies; 4+ messages in thread From: Michael Tremer @ 2016-10-23 18:10 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2289 bytes --] Hi, On Sun, 2016-10-23 at 14:21 +0000, IT Superhack wrote: > Hello Michael, > > sorry for the late reply. > > Michael Tremer: > > > > Hi, > > > > On Sat, 2016-10-15 at 08:16 +0000, IT Superhack wrote: > > > > > > Hello Michael, > > > hello Development-List (in CC), > > > > > > sorry for rehashing the issue: At 2016-10-06 I summarized > > > my findings about htpasswd and its lack of bcrypt. Unfortunately, > > > the bcrypt message digest algorithm is only available in > > > the htpasswd version provided by the Apache Web Server (version > > > 2.4.4 or later). > > > > > > Since it uses SHA *without any salt*, it seems to be more > > > secure in my point of view to use the MD5 method instead, where > > > a salt is used. > > > > I agree with this. Although not optimal, this is probably the option with > > better > > security (assuming to BF against rainbow table). > I'm afraid, yes. > > > > > > I added some more details to the commit message: > > http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=96473f525dcec4115b9 > > bab0b305ff5b92194b134 > > > > > > > > Thereof I kindly ask you to revert the commit > > > #eef9b2529c3cab522dac4f4bcfa1a0075376514e, where these changes > > > were introduced. I know the developers are busy because of > > > Core Update 106, and it can always happen that something slips > > > through the fingers. :-) > > > > > > Thanks and best regards, > > > Timmothy Wilson > > > > Thanks for making me reconsider this. > You're welcome. > > Could you please correct the release announcement of the 106 beta version, > too? It says > in the "misc" section that the hash algorithm has been changed. I guess it is > an > older version. This is actually referring to this commit: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=da314725051fe0ebf56fd9d28dae78ab7406c6f4 I removed the "admin" part which never should have been mentioned. > > > > > > However, I would be happy to receive any patches that add support for bcrypt > > to > > *actually* fix this. > As I said, this depends on Apache, which is a bigger task (and probably > way too big for me). Sorry. > > > > > > Best, > > -Michael > > > Best regards, > Timmothy Wilson -Michael [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-10-23 18:10 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-10-15 8:16 htpasswd: message digest algorithm (was: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e) IT Superhack 2016-10-15 21:48 ` Michael Tremer 2016-10-23 14:21 ` htpasswd: message digest algorithm IT Superhack 2016-10-23 18:10 ` Michael Tremer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox