This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, core106 has been updated via 96473f525dcec4115b9bab0b305ff5b92194b134 (commit) from 6920fbe86df2cacefc1a91b9590d84a495734e65 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 96473f525dcec4115b9bab0b305ff5b92194b134 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Oct 15 22:38:01 2016 +0100

Revert "setup: Store passwords in SHA format"

This reverts commit eef9b2529c3cab522dac4f4bcfa1a0075376514e.

It appears that htpasswd is not salting any passwords that are stored with the SHA (-s) algorithm. MD5 passwords however are salted.

That leads us to the conclusion that the "MD5 algorithm" in htpasswd is more secure than the "SHA algorithm" although the hash function itself should be stronger.

With a rainbow table, cracking "SHA" is easily done.

A rainbow table for "MD5" + salt would be way too large to be efficiently stored.

Hence this commit is reverted to old behaviour to avoid the clear failure of design in SHA.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne.fitzenreiter@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/rootfiles/core/106/filelists/files | 1 - src/setup/passwords.c | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-)

Difference in files: diff --git a/config/rootfiles/core/106/filelists/files b/config/rootfiles/core/106/filelists/files index fd363f3..a67d30a 100644 --- a/config/rootfiles/core/106/filelists/files +++ b/config/rootfiles/core/106/filelists/files @@ -22,5 +22,4 @@ srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/services.cgi -usr/sbin/setup var/ipfire/backup/include diff --git a/src/setup/passwords.c b/src/setup/passwords.c index 50ee38e..e7b4b52 100644 --- a/src/setup/passwords.c +++ b/src/setup/passwords.c @@ -56,7 +56,7 @@ int handleadminpassword(void) return 0; snprintf(commandstring, STRING_SIZE, - "/usr/sbin/htpasswd -c -s -b " CONFIG_ROOT "/auth/users admin '%s'", password); + "/usr/sbin/htpasswd -c -m -b " CONFIG_ROOT "/auth/users admin '%s'", password); sprintf(message, _("Setting %s 'admin' user password..."), NAME); if (runhiddencommandwithstatus(commandstring, _("Setting password"), message, NULL)) { sprintf(message, _("Problem setting %s 'admin' user password."), NAME);

hooks/post-receive -- IPFire 2.x development tree