Hello Michael,
Michael Tremer:
Hi,
I didn't occur to me that someone will build SHA just like that.
No problem. :-)
Well, you have a point here.
However, our version of htpasswd does not have bcrypt:
[root@ipfire ~]# htpasswd --help Usage: htpasswd [-cmdpsD] passwordfile username htpasswd -b[cmdpsD] passwordfile username password
htpasswd -n[mdps] username htpasswd -nb[mdps] username password -c Create a new file. -n Don't update file; display results on stdout. -m Force MD5 encryption of the password (default). -d Force CRYPT encryption of the password. -p Do not encrypt the password (plaintext). -s Force SHA encryption of the password. -b Use the password from the command line rather than prompting for it. -D Delete the specified user. On other systems than Windows, NetWare and TPF the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
As far as I know at the moment, IPFire uses an outdated version of htpasswd. On my system (OpenSuSE 42.1), however, htpasswd is part of the "apache2-utils" package, which is already installed in the 2.4-x branch:
twilson@fra-03-47-1b:~> zypper info apache2-utils Repository-Daten werden geladen... Installierte Pakete werden gelesen...
Informationen zu package apache2-utils: --------------------------------------- Repository: openSUSE-Leap-42.1-Update Name: apache2-utils Version: 2.4.16-15.1 Architektur: x86_64 Hersteller:openSUSE Installiert: Ja Status: aktuell Installationsgröße: 221,4 KiB Zusammenfassung:Apache 2 utilities Beschreibung: Utilities provided by the Apache 2 Web Server project which are useful to administrators of web servers in general.
This difference can also be found when comparing these two links: https://httpd.apache.org/docs/2.2/programs/htpasswd.html https://httpd.apache.org/docs/current/programs/htpasswd.html
Could you please investigate why and how we can enable that?
Why: see above.
At the moment, I am facing trouble trying to update the htpasswd package. The LFS file for this seems to life in ipfire-2.x/lfs/perl-Apache-Htpasswd. But there is no external download URL:
include Config
VER = 1.9
THISAPP = Apache-Htpasswd-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP)
The Wiki documentation to this topic is not helping: "DL_FROM the url where the archive can be downloaded from (notice this is a very unusual case where the archive is in the root directory of the server)." Uh-huh.
I'll try some more, but I am afraid that it might be weekend or so until I really get this working. Sorry.
Best regards, Timmothy Wilson
I am really tight on time this week but I would like to push out the core update as soon as possible.
Best, -Michael
On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote:
Hello Michael, hello List,
I have a question concerning the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e (http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=eef9b2529c3cab522dac4f4bc... a1a0075376514e).
It is correct that htpasswd uses the MD5 algorithm as default, which is not very secure indeed. However, the -s option (which enforces the use of SHA) is insecure since there is no salt.
In case IPFire uses the same htpasswd version I use, I'd suggest the use of bcrypt (option: -B), since it is stronger than both SHA and MD5.
This issue also appears in the help output of htpasswd:
twilson@fra-03-47-1b:~> htpasswd --help [...] -m Force MD5 encryption of the password (default). -B Force bcrypt encryption of the password (very secure). -C Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31). -d Force CRYPT encryption of the password (8 chars max, insecure). -s Force SHA encryption of the password (insecure). -p Do not encrypt the password (plaintext, insecure). [...] On other systems than Windows and NetWare the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm. twilson@fra-03-47-1b:~>
If your htpasswd version is somehow patched against this problem, just ignore my e-mail. :-)
Best regards, Timmothy Wilson