From mboxrd@z Thu Jan 1 00:00:00 1970 From: IT Superhack <itsuperhack@web.de> To: development@lists.ipfire.org Subject: Re: Question concerning commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e Date: Thu, 06 Oct 2016 14:00:00 +0000 Message-ID: <e97fd62b-694f-a1a3-9cef-9d12cd4d0be6@web.de> In-Reply-To: <1475664741.2582.60.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5492469349697511270==" List-Id: <development.lists.ipfire.org> --===============5492469349697511270== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, Michael Tremer: > Hi, >=20 > I didn't occur to me that someone will build SHA just like that. No problem. :-) >=20 > Well, you have a point here. >=20 > However, our version of htpasswd does not have bcrypt: >=20 > [root(a)ipfire ~]# htpasswd --help > Usage: > htpasswd [-cmdpsD] passwordfile username > htpasswd -b[cmdpsD] passwordfile username password >=20 > htpasswd -n[mdps] username > htpasswd -nb[mdps] username password > -c Create a new file. > -n Don't update file; display results on stdout. > -m Force MD5 encryption of the password (default). > -d Force CRYPT encryption of the password. > -p Do not encrypt the password (plaintext). > -s Force SHA encryption of the password. > -b Use the password from the command line rather than prompting for it. > -D Delete the specified user. > On other systems than Windows, NetWare and TPF the '-p' flag will probably = not > work. > The SHA algorithm does not use a salt and is less secure than the MD5 algor= ithm. As far as I know at the moment, IPFire uses an outdated version of htpasswd. = On my system (OpenSuSE 42.1), however, htpasswd is part of the "apache2-utils" p= ackage, which is already installed in the 2.4-x branch: twilson(a)fra-03-47-1b:~> zypper info apache2-utils Repository-Daten werden geladen... Installierte Pakete werden gelesen... Informationen zu package apache2-utils: --------------------------------------- Repository: openSUSE-Leap-42.1-Update Name: apache2-utils Version: 2.4.16-15.1 Architektur: x86_64 Hersteller:openSUSE Installiert: Ja Status: aktuell Installationsgr=C3=B6=C3=9Fe: 221,4 KiB Zusammenfassung:Apache 2 utilities Beschreibung:=20 Utilities provided by the Apache 2 Web Server project which are useful to administrators of web servers in general. This difference can also be found when comparing these two links: https://httpd.apache.org/docs/2.2/programs/htpasswd.html https://httpd.apache.org/docs/current/programs/htpasswd.html >=20 > Could you please investigate why and how we can enable that? Why: see above. At the moment, I am facing trouble trying to update the htpasswd package. The= LFS file for this seems to life in ipfire-2.x/lfs/perl-Apache-Htpasswd. But there is no external download URL: include Config VER =3D 1.9 THISAPP =3D Apache-Htpasswd-$(VER) DL_FILE =3D $(THISAPP).tar.gz DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) The Wiki documentation to this topic is not helping: "DL_FROM the url where t= he archive can be downloaded from (notice this is a very unusual case where the archive is in the root directory of the server)." Uh-huh. I'll try some more, but I am afraid that it might be weekend or so until I re= ally get this working. Sorry. Best regards, Timmothy Wilson >=20 > I am really tight on time this week but I would like to push out the core u= pdate > as soon as possible. >=20 > Best, > -Michael >=20 > On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote: >> Hello Michael, hello List, >> >> I have a question concerning the commit >> #eef9b2529c3cab522dac4f4bcfa1a0075376514e >> (http://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommit;h=3Deef9b2529c3cab52= 2dac4f4bcf >> a1a0075376514e). >> >> It is correct that htpasswd uses the MD5 algorithm as default, which is >> not very secure indeed. However, the -s option (which enforces the use >> of SHA) is insecure since there is no salt. >> >> In case IPFire uses the same htpasswd version I use, I'd suggest the >> use of bcrypt (option: -B), since it is stronger than both SHA and MD5. >> >> This issue also appears in the help output of htpasswd: >> >> twilson(a)fra-03-47-1b:~> htpasswd --help >> [...] >> -m Force MD5 encryption of the password (default). >> -B Force bcrypt encryption of the password (very secure). >> -C Set the computing time used for the bcrypt algorithm >> (higher is more secure but slower, default: 5, valid: 4 to 31). >> -d Force CRYPT encryption of the password (8 chars max, insecure). >> -s Force SHA encryption of the password (insecure). >> -p Do not encrypt the password (plaintext, insecure). >> [...] >> On other systems than Windows and NetWare the '-p' flag will probably not >> work. >> The SHA algorithm does not use a salt and is less secure than the MD5 >> algorithm. >> twilson(a)fra-03-47-1b:~> >> >> If your htpasswd version is somehow patched against this problem, just >> ignore my e-mail. :-) >> >> Best regards, >> Timmothy Wilson --===============5492469349697511270== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRRWNCQUVCQ2dBR0JRSlg5bGo2QUFvSkVP eUxhMUM1RWF6cnF3UUlBSnBnSlZHSnl4TW5YckVLcXBYM2pFOTcKNG5HMEdsenlrY3JESm90RXpt TmhtdHhJZjdKVzJzZkF3dG9KaEttc2szT1R0eUludS9KTVdOdDdCM2VNOVRjdwpEZ1NTVVFIcEkx NHlVM0dCaG16NlBtb3EwczZMWFVZVWdLZnBCc05lNDk2czV5d2pROTVlSnZWdmErblQwWFFzClkx d2VORHFmQVMrMGVMKzErZkFHejg0Vmo5a2szYnlJTXVHWGRQTnp4ZzN1NFd6SC9CZ0FqTkhVNFlh bUlVZE0KV2hXa21KOFcwV2JGRnd4T1NWMTlwaVhZTThMeFhIZ095b3VjRDVwdUpiRXE3dElpNzNq TTdqQW9wRCtYUStuMgpJNWNZbncvVTBlYTRrTURkTnp5NkR3a1RTNVdJWHV2dEhhRnR1RWI5R3Yz RnNsVjIxOFNZZHVqdXlJbWVlblE9Cj1UaS9WCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============5492469349697511270==--