Hello Michael, hello List,
I have a question concerning the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e (http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=eef9b2529c3cab522dac4f4bc...).
It is correct that htpasswd uses the MD5 algorithm as default, which is not very secure indeed. However, the -s option (which enforces the use of SHA) is insecure since there is no salt.
In case IPFire uses the same htpasswd version I use, I'd suggest the use of bcrypt (option: -B), since it is stronger than both SHA and MD5.
This issue also appears in the help output of htpasswd:
twilson@fra-03-47-1b:~> htpasswd --help [...] -m Force MD5 encryption of the password (default). -B Force bcrypt encryption of the password (very secure). -C Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31). -d Force CRYPT encryption of the password (8 chars max, insecure). -s Force SHA encryption of the password (insecure). -p Do not encrypt the password (plaintext, insecure). [...] On other systems than Windows and NetWare the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm. twilson@fra-03-47-1b:~>
If your htpasswd version is somehow patched against this problem, just ignore my e-mail. :-)
Best regards, Timmothy Wilson
Hi,
I didn't occur to me that someone will build SHA just like that.
Well, you have a point here.
However, our version of htpasswd does not have bcrypt:
[root@ipfire ~]# htpasswd --help Usage: htpasswd [-cmdpsD] passwordfile username htpasswd -b[cmdpsD] passwordfile username password
htpasswd -n[mdps] username htpasswd -nb[mdps] username password -c Create a new file. -n Don't update file; display results on stdout. -m Force MD5 encryption of the password (default). -d Force CRYPT encryption of the password. -p Do not encrypt the password (plaintext). -s Force SHA encryption of the password. -b Use the password from the command line rather than prompting for it. -D Delete the specified user. On other systems than Windows, NetWare and TPF the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
Could you please investigate why and how we can enable that?
I am really tight on time this week but I would like to push out the core update as soon as possible.
Best, -Michael
On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote:
Hello Michael, hello List,
I have a question concerning the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e (http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=eef9b2529c3cab522dac4f4bc... a1a0075376514e).
It is correct that htpasswd uses the MD5 algorithm as default, which is not very secure indeed. However, the -s option (which enforces the use of SHA) is insecure since there is no salt.
In case IPFire uses the same htpasswd version I use, I'd suggest the use of bcrypt (option: -B), since it is stronger than both SHA and MD5.
This issue also appears in the help output of htpasswd:
twilson@fra-03-47-1b:~> htpasswd --help [...] -m Force MD5 encryption of the password (default). -B Force bcrypt encryption of the password (very secure). -C Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31). -d Force CRYPT encryption of the password (8 chars max, insecure). -s Force SHA encryption of the password (insecure). -p Do not encrypt the password (plaintext, insecure). [...] On other systems than Windows and NetWare the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm. twilson@fra-03-47-1b:~>
If your htpasswd version is somehow patched against this problem, just ignore my e-mail. :-)
Best regards, Timmothy Wilson
Hello Michael,
Michael Tremer:
Hi,
I didn't occur to me that someone will build SHA just like that.
No problem. :-)
Well, you have a point here.
However, our version of htpasswd does not have bcrypt:
[root@ipfire ~]# htpasswd --help Usage: htpasswd [-cmdpsD] passwordfile username htpasswd -b[cmdpsD] passwordfile username password
htpasswd -n[mdps] username htpasswd -nb[mdps] username password -c Create a new file. -n Don't update file; display results on stdout. -m Force MD5 encryption of the password (default). -d Force CRYPT encryption of the password. -p Do not encrypt the password (plaintext). -s Force SHA encryption of the password. -b Use the password from the command line rather than prompting for it. -D Delete the specified user. On other systems than Windows, NetWare and TPF the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
As far as I know at the moment, IPFire uses an outdated version of htpasswd. On my system (OpenSuSE 42.1), however, htpasswd is part of the "apache2-utils" package, which is already installed in the 2.4-x branch:
twilson@fra-03-47-1b:~> zypper info apache2-utils Repository-Daten werden geladen... Installierte Pakete werden gelesen...
Informationen zu package apache2-utils: --------------------------------------- Repository: openSUSE-Leap-42.1-Update Name: apache2-utils Version: 2.4.16-15.1 Architektur: x86_64 Hersteller:openSUSE Installiert: Ja Status: aktuell Installationsgröße: 221,4 KiB Zusammenfassung:Apache 2 utilities Beschreibung: Utilities provided by the Apache 2 Web Server project which are useful to administrators of web servers in general.
This difference can also be found when comparing these two links: https://httpd.apache.org/docs/2.2/programs/htpasswd.html https://httpd.apache.org/docs/current/programs/htpasswd.html
Could you please investigate why and how we can enable that?
Why: see above.
At the moment, I am facing trouble trying to update the htpasswd package. The LFS file for this seems to life in ipfire-2.x/lfs/perl-Apache-Htpasswd. But there is no external download URL:
include Config
VER = 1.9
THISAPP = Apache-Htpasswd-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP)
The Wiki documentation to this topic is not helping: "DL_FROM the url where the archive can be downloaded from (notice this is a very unusual case where the archive is in the root directory of the server)." Uh-huh.
I'll try some more, but I am afraid that it might be weekend or so until I really get this working. Sorry.
Best regards, Timmothy Wilson
I am really tight on time this week but I would like to push out the core update as soon as possible.
Best, -Michael
On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote:
Hello Michael, hello List,
I have a question concerning the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e (http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=eef9b2529c3cab522dac4f4bc... a1a0075376514e).
It is correct that htpasswd uses the MD5 algorithm as default, which is not very secure indeed. However, the -s option (which enforces the use of SHA) is insecure since there is no salt.
In case IPFire uses the same htpasswd version I use, I'd suggest the use of bcrypt (option: -B), since it is stronger than both SHA and MD5.
This issue also appears in the help output of htpasswd:
twilson@fra-03-47-1b:~> htpasswd --help [...] -m Force MD5 encryption of the password (default). -B Force bcrypt encryption of the password (very secure). -C Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31). -d Force CRYPT encryption of the password (8 chars max, insecure). -s Force SHA encryption of the password (insecure). -p Do not encrypt the password (plaintext, insecure). [...] On other systems than Windows and NetWare the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm. twilson@fra-03-47-1b:~>
If your htpasswd version is somehow patched against this problem, just ignore my e-mail. :-)
Best regards, Timmothy Wilson
Hello Michael, hello Development-List,
here is what I found out so far:
There is a Perl implementation of htpasswd, called Apache::Htpasswd, which is used by IPFire. The latest version is 1.9 (dated somewhere back in 2012); newer releases are not available.
Today it seems to be more common to use the htpasswd tool provided by the Apache webserver itself. It supports the bcrypt algorithm since version 2.4.4 (source: https://httpd.apache.org/docs/trunk/new_features_2_4.html#programs).
A simple test showed that this is true: (1) download the Apache webserver (http://mirrors.m247.ro/apache//httpd/) (2) unpack it (3) run ./configure --prefix=SOMEPREFIX (4) run make and wait a few minutes (5) now an executable file can be found at support/htpasswd:
make[1]: Leaving directory '/home/twilson/tmp_apache_2.4.23/httpd-2.4.23' twilson@fra-03-47-1b:~/tmp_apache_2.4.23/httpd-2.4.23> cd support/ twilson@fra-03-47-1b:~/tmp_apache_2.4.23/httpd-2.4.23/support> ./htpasswd Usage: htpasswd [-cimBdpsDv] [-C cost] passwordfile username htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password
htpasswd -n[imBdps] [-C cost] username htpasswd -nb[mBdps] [-C cost] username password -c Create a new file. -n Don't update file; display results on stdout. -b Use the password from the command line rather than prompting for it. -i Read password from stdin without verification (for script usage). -m Force MD5 encryption of the password (default). -B Force bcrypt encryption of the password (very secure). -C Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31). -d Force CRYPT encryption of the password (8 chars max, insecure). -s Force SHA encryption of the password (insecure). -p Do not encrypt the password (plaintext, insecure). -D Delete the specified user. -v Verify password for the specified user. On other systems than Windows and NetWare the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
So far, so good, so boring. :-)
This, however, would require Apache 2.4.4 or higher. Although I cannot point at them right now, I remember that we had some problems a while ago trying to update to the 2.4.x-branch of Apache.
Since my building skills are very poor and I do not have enough spare time at the moment, upgrading and testing Apache is out of question for me. :-(
In case somebody else here want to have a closer look at it, I'd suggest: https://httpd.apache.org/docs/current/upgrading.html
Until then, Michael, I would ask you to revert the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e.
Best regards, Timmothy Wilson Timmothy Wilson:
Hello Michael,
Michael Tremer:
Hi,
I didn't occur to me that someone will build SHA just like that.
No problem. :-)
Well, you have a point here.
However, our version of htpasswd does not have bcrypt:
[root@ipfire ~]# htpasswd --help Usage: htpasswd [-cmdpsD] passwordfile username htpasswd -b[cmdpsD] passwordfile username password
htpasswd -n[mdps] username htpasswd -nb[mdps] username password -c Create a new file. -n Don't update file; display results on stdout. -m Force MD5 encryption of the password (default). -d Force CRYPT encryption of the password. -p Do not encrypt the password (plaintext). -s Force SHA encryption of the password. -b Use the password from the command line rather than prompting for it. -D Delete the specified user. On other systems than Windows, NetWare and TPF the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.
As far as I know at the moment, IPFire uses an outdated version of htpasswd. On my system (OpenSuSE 42.1), however, htpasswd is part of the "apache2-utils" package, which is already installed in the 2.4-x branch:
twilson@fra-03-47-1b:~> zypper info apache2-utils Repository-Daten werden geladen... Installierte Pakete werden gelesen...
Informationen zu package apache2-utils:
Repository: openSUSE-Leap-42.1-Update Name: apache2-utils Version: 2.4.16-15.1 Architektur: x86_64 Hersteller:openSUSE Installiert: Ja Status: aktuell Installationsgröße: 221,4 KiB Zusammenfassung:Apache 2 utilities Beschreibung: Utilities provided by the Apache 2 Web Server project which are useful to administrators of web servers in general.
This difference can also be found when comparing these two links: https://httpd.apache.org/docs/2.2/programs/htpasswd.html https://httpd.apache.org/docs/current/programs/htpasswd.html
Could you please investigate why and how we can enable that?
Why: see above.
At the moment, I am facing trouble trying to update the htpasswd package. The LFS file for this seems to life in ipfire-2.x/lfs/perl-Apache-Htpasswd. But there is no external download URL:
include Config
VER = 1.9
THISAPP = Apache-Htpasswd-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP)
The Wiki documentation to this topic is not helping: "DL_FROM the url where the archive can be downloaded from (notice this is a very unusual case where the archive is in the root directory of the server)." Uh-huh.
I'll try some more, but I am afraid that it might be weekend or so until I really get this working. Sorry.
Best regards, Timmothy Wilson
I am really tight on time this week but I would like to push out the core update as soon as possible.
Best, -Michael
On Wed, 2016-10-05 at 08:13 +0000, IT Superhack wrote:
Hello Michael, hello List,
I have a question concerning the commit #eef9b2529c3cab522dac4f4bcfa1a0075376514e (http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=eef9b2529c3cab522dac4f4bc... a1a0075376514e).
It is correct that htpasswd uses the MD5 algorithm as default, which is not very secure indeed. However, the -s option (which enforces the use of SHA) is insecure since there is no salt.
In case IPFire uses the same htpasswd version I use, I'd suggest the use of bcrypt (option: -B), since it is stronger than both SHA and MD5.
This issue also appears in the help output of htpasswd:
twilson@fra-03-47-1b:~> htpasswd --help [...] -m Force MD5 encryption of the password (default). -B Force bcrypt encryption of the password (very secure). -C Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31). -d Force CRYPT encryption of the password (8 chars max, insecure). -s Force SHA encryption of the password (insecure). -p Do not encrypt the password (plaintext, insecure). [...] On other systems than Windows and NetWare the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm. twilson@fra-03-47-1b:~>
If your htpasswd version is somehow patched against this problem, just ignore my e-mail. :-)
Best regards, Timmothy Wilson
-
IT Superhack -
Michael Tremer