From: IT Superhack <itsuperhack@web.de>
To: development@lists.ipfire.org
Subject: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e
Date: Thu, 06 Oct 2016 14:00:00 +0000 [thread overview]
Message-ID: <e97fd62b-694f-a1a3-9cef-9d12cd4d0be6@web.de> (raw)
In-Reply-To: <1475664741.2582.60.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4591 bytes --]
Hello Michael,
Michael Tremer:
> Hi,
>
> I didn't occur to me that someone will build SHA just like that.
No problem. :-)
>
> Well, you have a point here.
>
> However, our version of htpasswd does not have bcrypt:
>
> [root(a)ipfire ~]# htpasswd --help
> Usage:
> htpasswd [-cmdpsD] passwordfile username
> htpasswd -b[cmdpsD] passwordfile username password
>
> htpasswd -n[mdps] username
> htpasswd -nb[mdps] username password
> -c Create a new file.
> -n Don't update file; display results on stdout.
> -m Force MD5 encryption of the password (default).
> -d Force CRYPT encryption of the password.
> -p Do not encrypt the password (plaintext).
> -s Force SHA encryption of the password.
> -b Use the password from the command line rather than prompting for it.
> -D Delete the specified user.
> On other systems than Windows, NetWare and TPF the '-p' flag will probably not
> work.
> The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
As far as I know at the moment, IPFire uses an outdated version of htpasswd. On
my system (OpenSuSE 42.1), however, htpasswd is part of the "apache2-utils" package, which
is already installed in the 2.4-x branch:
twilson(a)fra-03-47-1b:~> zypper info apache2-utils
Repository-Daten werden geladen...
Installierte Pakete werden gelesen...
Informationen zu package apache2-utils:
---------------------------------------
Repository: openSUSE-Leap-42.1-Update
Name: apache2-utils
Version: 2.4.16-15.1
Architektur: x86_64
Hersteller:openSUSE
Installiert: Ja
Status: aktuell
Installationsgröße: 221,4 KiB
Zusammenfassung:Apache 2 utilities
Beschreibung:
Utilities provided by the Apache 2 Web Server project which are useful
to administrators of web servers in general.
This difference can also be found when comparing these two links:
https://httpd.apache.org/docs/2.2/programs/htpasswd.html
https://httpd.apache.org/docs/current/programs/htpasswd.html
>
> Could you please investigate why and how we can enable that?
Why: see above.
At the moment, I am facing trouble trying to update the htpasswd package. The LFS
file for this seems to life in
ipfire-2.x/lfs/perl-Apache-Htpasswd.
But there is no external download URL:
include Config
VER = 1.9
THISAPP = Apache-Htpasswd-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
The Wiki documentation to this topic is not helping: "DL_FROM the url where the archive
can be downloaded from (notice this is a very unusual case where the archive
is in the root directory of the server)." Uh-huh.
I'll try some more, but I am afraid that it might be weekend or so until I really
get this working. Sorry.
Best regards,
Timmothy Wilson
>
> I am really tight on time this week but I would like to push out the core update
> as soon as possible.
>
> Best,
> -Michael
>
> On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote:
>> Hello Michael, hello List,
>>
>> I have a question concerning the commit
>> #eef9b2529c3cab522dac4f4bcfa1a0075376514e
>> (http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=eef9b2529c3cab522dac4f4bcf
>> a1a0075376514e).
>>
>> It is correct that htpasswd uses the MD5 algorithm as default, which is
>> not very secure indeed. However, the -s option (which enforces the use
>> of SHA) is insecure since there is no salt.
>>
>> In case IPFire uses the same htpasswd version I use, I'd suggest the
>> use of bcrypt (option: -B), since it is stronger than both SHA and MD5.
>>
>> This issue also appears in the help output of htpasswd:
>>
>> twilson(a)fra-03-47-1b:~> htpasswd --help
>> [...]
>> -m Force MD5 encryption of the password (default).
>> -B Force bcrypt encryption of the password (very secure).
>> -C Set the computing time used for the bcrypt algorithm
>> (higher is more secure but slower, default: 5, valid: 4 to 31).
>> -d Force CRYPT encryption of the password (8 chars max, insecure).
>> -s Force SHA encryption of the password (insecure).
>> -p Do not encrypt the password (plaintext, insecure).
>> [...]
>> On other systems than Windows and NetWare the '-p' flag will probably not
>> work.
>> The SHA algorithm does not use a salt and is less secure than the MD5
>> algorithm.
>> twilson(a)fra-03-47-1b:~>
>>
>> If your htpasswd version is somehow patched against this problem, just
>> ignore my e-mail. :-)
>>
>> Best regards,
>> Timmothy Wilson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
next prev parent reply other threads:[~2016-10-06 14:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-05 8:13 IT Superhack
2016-10-05 10:52 ` Michael Tremer
2016-10-06 14:00 ` IT Superhack [this message]
2016-10-06 15:46 ` IT Superhack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e97fd62b-694f-a1a3-9cef-9d12cd4d0be6@web.de \
--to=itsuperhack@web.de \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox