Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

only insecure htpasswd passwords supported #22

Open
poelzi opened this issue Feb 9, 2023 · 2 comments
Open

only insecure htpasswd passwords supported #22

poelzi opened this issue Feb 9, 2023 · 2 comments

Comments

@poelzi
Copy link

poelzi commented Feb 9, 2023

htpasswd files like generated from apache is not properly supported.
The format is:

test:{SHA}Or7xoUzOzSDWzoksvgQq5tdJRsg=

{SHA} is the hashing algorithmus used, can be MD5, SHA, without, the CRYPT function is used.

htpasswd --help
....
 -m  Force MD5 encryption of the password (default).
 -B  Force bcrypt encryption of the password (very secure).
 -C  Set the computing time used for the bcrypt algorithm
     (higher is more secure but slower, default: 5, valid: 4 to 17).
 -d  Force CRYPT encryption of the password (8 chars max, insecure).
 -s  Force SHA encryption of the password (insecure).

Currently, the server uses verify() which does not properly detect anything but crypt, rendering the file unsecure.
@poelzi
Copy link
Author

poelzi commented Feb 9, 2023

Maybe change to: https://github.com/aQaTL/htpasswd-verify

@norpol
Copy link

norpol commented Sep 9, 2023
edited
Loading

I'm using Apache 2.4 with htpasswd -nbB user pass which is generating $2y$05$ which is according to Apache docs bcrypt. I think the issue can be closed.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@poelzi @norpol