* Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e
@ 2016-10-05 8:13 IT Superhack
2016-10-05 10:52 ` Michael Tremer
0 siblings, 1 reply; 4+ messages in thread
From: IT Superhack @ 2016-10-05 8:13 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1413 bytes --]
Hello Michael, hello List,
I have a question concerning the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e
(http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=eef9b2529c3cab522dac4f4bcfa1a0075376514e).
It is correct that htpasswd uses the MD5 algorithm as default, which is
not very secure indeed. However, the -s option (which enforces the use
of SHA) is insecure since there is no salt.
In case IPFire uses the same htpasswd version I use, I'd suggest the
use of bcrypt (option: -B), since it is stronger than both SHA and MD5.
This issue also appears in the help output of htpasswd:
twilson(a)fra-03-47-1b:~> htpasswd --help
[...]
-m Force MD5 encryption of the password (default).
-B Force bcrypt encryption of the password (very secure).
-C Set the computing time used for the bcrypt algorithm
(higher is more secure but slower, default: 5, valid: 4 to 31).
-d Force CRYPT encryption of the password (8 chars max, insecure).
-s Force SHA encryption of the password (insecure).
-p Do not encrypt the password (plaintext, insecure).
[...]
On other systems than Windows and NetWare the '-p' flag will probably not work.
The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
twilson(a)fra-03-47-1b:~>
If your htpasswd version is somehow patched against this problem, just
ignore my e-mail. :-)
Best regards,
Timmothy Wilson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e 2016-10-05 8:13 Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e IT Superhack @ 2016-10-05 10:52 ` Michael Tremer 2016-10-06 14:00 ` IT Superhack 0 siblings, 1 reply; 4+ messages in thread From: Michael Tremer @ 2016-10-05 10:52 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2708 bytes --] Hi, I didn't occur to me that someone will build SHA just like that. Well, you have a point here. However, our version of htpasswd does not have bcrypt: [root(a)ipfire ~]# htpasswd --help Usage: htpasswd [-cmdpsD] passwordfile username htpasswd -b[cmdpsD] passwordfile username password htpasswd -n[mdps] username htpasswd -nb[mdps] username password -c Create a new file. -n Don't update file; display results on stdout. -m Force MD5 encryption of the password (default). -d Force CRYPT encryption of the password. -p Do not encrypt the password (plaintext). -s Force SHA encryption of the password. -b Use the password from the command line rather than prompting for it. -D Delete the specified user. On other systems than Windows, NetWare and TPF the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm. Could you please investigate why and how we can enable that? I am really tight on time this week but I would like to push out the core update as soon as possible. Best, -Michael On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote: > Hello Michael, hello List, > > I have a question concerning the commit > #eef9b2529c3cab522dac4f4bcfa1a0075376514e > (http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=eef9b2529c3cab522dac4f4bcf > a1a0075376514e). > > It is correct that htpasswd uses the MD5 algorithm as default, which is > not very secure indeed. However, the -s option (which enforces the use > of SHA) is insecure since there is no salt. > > In case IPFire uses the same htpasswd version I use, I'd suggest the > use of bcrypt (option: -B), since it is stronger than both SHA and MD5. > > This issue also appears in the help output of htpasswd: > > twilson(a)fra-03-47-1b:~> htpasswd --help > [...] > -m Force MD5 encryption of the password (default). > -B Force bcrypt encryption of the password (very secure). > -C Set the computing time used for the bcrypt algorithm > (higher is more secure but slower, default: 5, valid: 4 to 31). > -d Force CRYPT encryption of the password (8 chars max, insecure). > -s Force SHA encryption of the password (insecure). > -p Do not encrypt the password (plaintext, insecure). > [...] > On other systems than Windows and NetWare the '-p' flag will probably not > work. > The SHA algorithm does not use a salt and is less secure than the MD5 > algorithm. > twilson(a)fra-03-47-1b:~> > > If your htpasswd version is somehow patched against this problem, just > ignore my e-mail. :-) > > Best regards, > Timmothy Wilson > [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e 2016-10-05 10:52 ` Michael Tremer @ 2016-10-06 14:00 ` IT Superhack 2016-10-06 15:46 ` IT Superhack 0 siblings, 1 reply; 4+ messages in thread From: IT Superhack @ 2016-10-06 14:00 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 4591 bytes --] Hello Michael, Michael Tremer: > Hi, > > I didn't occur to me that someone will build SHA just like that. No problem. :-) > > Well, you have a point here. > > However, our version of htpasswd does not have bcrypt: > > [root(a)ipfire ~]# htpasswd --help > Usage: > htpasswd [-cmdpsD] passwordfile username > htpasswd -b[cmdpsD] passwordfile username password > > htpasswd -n[mdps] username > htpasswd -nb[mdps] username password > -c Create a new file. > -n Don't update file; display results on stdout. > -m Force MD5 encryption of the password (default). > -d Force CRYPT encryption of the password. > -p Do not encrypt the password (plaintext). > -s Force SHA encryption of the password. > -b Use the password from the command line rather than prompting for it. > -D Delete the specified user. > On other systems than Windows, NetWare and TPF the '-p' flag will probably not > work. > The SHA algorithm does not use a salt and is less secure than the MD5 algorithm. As far as I know at the moment, IPFire uses an outdated version of htpasswd. On my system (OpenSuSE 42.1), however, htpasswd is part of the "apache2-utils" package, which is already installed in the 2.4-x branch: twilson(a)fra-03-47-1b:~> zypper info apache2-utils Repository-Daten werden geladen... Installierte Pakete werden gelesen... Informationen zu package apache2-utils: --------------------------------------- Repository: openSUSE-Leap-42.1-Update Name: apache2-utils Version: 2.4.16-15.1 Architektur: x86_64 Hersteller:openSUSE Installiert: Ja Status: aktuell Installationsgröße: 221,4 KiB Zusammenfassung:Apache 2 utilities Beschreibung: Utilities provided by the Apache 2 Web Server project which are useful to administrators of web servers in general. This difference can also be found when comparing these two links: https://httpd.apache.org/docs/2.2/programs/htpasswd.html https://httpd.apache.org/docs/current/programs/htpasswd.html > > Could you please investigate why and how we can enable that? Why: see above. At the moment, I am facing trouble trying to update the htpasswd package. The LFS file for this seems to life in ipfire-2.x/lfs/perl-Apache-Htpasswd. But there is no external download URL: include Config VER = 1.9 THISAPP = Apache-Htpasswd-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) The Wiki documentation to this topic is not helping: "DL_FROM the url where the archive can be downloaded from (notice this is a very unusual case where the archive is in the root directory of the server)." Uh-huh. I'll try some more, but I am afraid that it might be weekend or so until I really get this working. Sorry. Best regards, Timmothy Wilson > > I am really tight on time this week but I would like to push out the core update > as soon as possible. > > Best, > -Michael > > On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote: >> Hello Michael, hello List, >> >> I have a question concerning the commit >> #eef9b2529c3cab522dac4f4bcfa1a0075376514e >> (http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=eef9b2529c3cab522dac4f4bcf >> a1a0075376514e). >> >> It is correct that htpasswd uses the MD5 algorithm as default, which is >> not very secure indeed. However, the -s option (which enforces the use >> of SHA) is insecure since there is no salt. >> >> In case IPFire uses the same htpasswd version I use, I'd suggest the >> use of bcrypt (option: -B), since it is stronger than both SHA and MD5. >> >> This issue also appears in the help output of htpasswd: >> >> twilson(a)fra-03-47-1b:~> htpasswd --help >> [...] >> -m Force MD5 encryption of the password (default). >> -B Force bcrypt encryption of the password (very secure). >> -C Set the computing time used for the bcrypt algorithm >> (higher is more secure but slower, default: 5, valid: 4 to 31). >> -d Force CRYPT encryption of the password (8 chars max, insecure). >> -s Force SHA encryption of the password (insecure). >> -p Do not encrypt the password (plaintext, insecure). >> [...] >> On other systems than Windows and NetWare the '-p' flag will probably not >> work. >> The SHA algorithm does not use a salt and is less secure than the MD5 >> algorithm. >> twilson(a)fra-03-47-1b:~> >> >> If your htpasswd version is somehow patched against this problem, just >> ignore my e-mail. :-) >> >> Best regards, >> Timmothy Wilson [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 455 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e 2016-10-06 14:00 ` IT Superhack @ 2016-10-06 15:46 ` IT Superhack 0 siblings, 0 replies; 4+ messages in thread From: IT Superhack @ 2016-10-06 15:46 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 7568 bytes --] Hello Michael, hello Development-List, here is what I found out so far: There is a Perl implementation of htpasswd, called Apache::Htpasswd, which is used by IPFire. The latest version is 1.9 (dated somewhere back in 2012); newer releases are not available. Today it seems to be more common to use the htpasswd tool provided by the Apache webserver itself. It supports the bcrypt algorithm since version 2.4.4 (source: https://httpd.apache.org/docs/trunk/new_features_2_4.html#programs). A simple test showed that this is true: (1) download the Apache webserver (http://mirrors.m247.ro/apache//httpd/) (2) unpack it (3) run ./configure --prefix=SOMEPREFIX (4) run make and wait a few minutes (5) now an executable file can be found at support/htpasswd: make[1]: Leaving directory '/home/twilson/tmp_apache_2.4.23/httpd-2.4.23' twilson(a)fra-03-47-1b:~/tmp_apache_2.4.23/httpd-2.4.23> cd support/ twilson(a)fra-03-47-1b:~/tmp_apache_2.4.23/httpd-2.4.23/support> ./htpasswd Usage: htpasswd [-cimBdpsDv] [-C cost] passwordfile username htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password htpasswd -n[imBdps] [-C cost] username htpasswd -nb[mBdps] [-C cost] username password -c Create a new file. -n Don't update file; display results on stdout. -b Use the password from the command line rather than prompting for it. -i Read password from stdin without verification (for script usage). -m Force MD5 encryption of the password (default). -B Force bcrypt encryption of the password (very secure). -C Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31). -d Force CRYPT encryption of the password (8 chars max, insecure). -s Force SHA encryption of the password (insecure). -p Do not encrypt the password (plaintext, insecure). -D Delete the specified user. -v Verify password for the specified user. On other systems than Windows and NetWare the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm. So far, so good, so boring. :-) This, however, would require Apache 2.4.4 or higher. Although I cannot point at them right now, I remember that we had some problems a while ago trying to update to the 2.4.x-branch of Apache. Since my building skills are very poor and I do not have enough spare time at the moment, upgrading and testing Apache is out of question for me. :-( In case somebody else here want to have a closer look at it, I'd suggest: https://httpd.apache.org/docs/current/upgrading.html Until then, Michael, I would ask you to revert the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e. Best regards, Timmothy Wilson Timmothy Wilson: > Hello Michael, > > Michael Tremer: >> Hi, >> >> I didn't occur to me that someone will build SHA just like that. > No problem. :-) >> >> Well, you have a point here. >> >> However, our version of htpasswd does not have bcrypt: >> >> [root(a)ipfire ~]# htpasswd --help >> Usage: >> htpasswd [-cmdpsD] passwordfile username >> htpasswd -b[cmdpsD] passwordfile username password >> >> htpasswd -n[mdps] username >> htpasswd -nb[mdps] username password >> -c Create a new file. >> -n Don't update file; display results on stdout. >> -m Force MD5 encryption of the password (default). >> -d Force CRYPT encryption of the password. >> -p Do not encrypt the password (plaintext). >> -s Force SHA encryption of the password. >> -b Use the password from the command line rather than prompting for it. >> -D Delete the specified user. >> On other systems than Windows, NetWare and TPF the '-p' flag will probably not >> work. >> The SHA algorithm does not use a salt and is less secure than the MD5 algorithm. > > As far as I know at the moment, IPFire uses an outdated version of htpasswd. On > my system (OpenSuSE 42.1), however, htpasswd is part of the "apache2-utils" package, which > is already installed in the 2.4-x branch: > > twilson(a)fra-03-47-1b:~> zypper info apache2-utils > Repository-Daten werden geladen... > Installierte Pakete werden gelesen... > > > Informationen zu package apache2-utils: > --------------------------------------- > Repository: openSUSE-Leap-42.1-Update > Name: apache2-utils > Version: 2.4.16-15.1 > Architektur: x86_64 > Hersteller:openSUSE > Installiert: Ja > Status: aktuell > Installationsgröße: 221,4 KiB > Zusammenfassung:Apache 2 utilities > Beschreibung: > Utilities provided by the Apache 2 Web Server project which are useful > to administrators of web servers in general. > > This difference can also be found when comparing these two links: > https://httpd.apache.org/docs/2.2/programs/htpasswd.html > https://httpd.apache.org/docs/current/programs/htpasswd.html >> >> Could you please investigate why and how we can enable that? > Why: see above. > > At the moment, I am facing trouble trying to update the htpasswd package. The LFS > file for this seems to life in > ipfire-2.x/lfs/perl-Apache-Htpasswd. > But there is no external download URL: > > include Config > > VER = 1.9 > > THISAPP = Apache-Htpasswd-$(VER) > DL_FILE = $(THISAPP).tar.gz > DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > > The Wiki documentation to this topic is not helping: "DL_FROM the url where the archive > can be downloaded from (notice this is a very unusual case where the archive > is in the root directory of the server)." Uh-huh. > > I'll try some more, but I am afraid that it might be weekend or so until I really > get this working. Sorry. > > Best regards, > Timmothy Wilson >> >> I am really tight on time this week but I would like to push out the core update >> as soon as possible. >> >> Best, >> -Michael >> >> On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote: >>> Hello Michael, hello List, >>> >>> I have a question concerning the commit >>> #eef9b2529c3cab522dac4f4bcfa1a0075376514e >>> (http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=eef9b2529c3cab522dac4f4bcf >>> a1a0075376514e). >>> >>> It is correct that htpasswd uses the MD5 algorithm as default, which is >>> not very secure indeed. However, the -s option (which enforces the use >>> of SHA) is insecure since there is no salt. >>> >>> In case IPFire uses the same htpasswd version I use, I'd suggest the >>> use of bcrypt (option: -B), since it is stronger than both SHA and MD5. >>> >>> This issue also appears in the help output of htpasswd: >>> >>> twilson(a)fra-03-47-1b:~> htpasswd --help >>> [...] >>> -m Force MD5 encryption of the password (default). >>> -B Force bcrypt encryption of the password (very secure). >>> -C Set the computing time used for the bcrypt algorithm >>> (higher is more secure but slower, default: 5, valid: 4 to 31). >>> -d Force CRYPT encryption of the password (8 chars max, insecure). >>> -s Force SHA encryption of the password (insecure). >>> -p Do not encrypt the password (plaintext, insecure). >>> [...] >>> On other systems than Windows and NetWare the '-p' flag will probably not >>> work. >>> The SHA algorithm does not use a salt and is less secure than the MD5 >>> algorithm. >>> twilson(a)fra-03-47-1b:~> >>> >>> If your htpasswd version is somehow patched against this problem, just >>> ignore my e-mail. :-) >>> >>> Best regards, >>> Timmothy Wilson > > [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 455 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-10-06 15:46 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-10-05 8:13 Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e IT Superhack 2016-10-05 10:52 ` Michael Tremer 2016-10-06 14:00 ` IT Superhack 2016-10-06 15:46 ` IT Superhack
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox