Basic Auth: deprecation of DES crypt

[erikwilson]

When using a RHEL / CentOS / UBI 7 or 8 base image build of nginx several of the e2e tests fail due to DES deprecation with crypt.

ingress-nginx should default to SHA hashed passwords for basic auth, currently hashes generated from openssl passwd -crypt can replace -crypt with -6, and the following line should indicate a different hashing method in the salt, like foo:$6$

ingress-nginx/test/e2e/annotations/auth.go

Line 210 in b1c8e30

"auth": []byte("foo:"),

Without specifying a different hashing method in the salt the test will fail with a 500 code and a log message error like crypt_r() failed (22: Invalid argument) when using of the the above mentioned base images.

If the approach with updating the tests sounds acceptable I would be happy to submit a PR.

/kind feature

[rikatz]

@erikwilson go ahead with the PR :) let's take a look!

Also changing this in the whole Ingress (to use basic auth as SHA) generates any impact? If not, cant we use SHA for everything and deprecate DES for good in all the images?

Thanks

[erikwilson]

Thanks @rikatz! I think enforcing of SHA could be achieved by patching the nginx source for the base image, but it could also cause upgrade issues. Official docs like https://kubernetes.github.io/ingress-nginx/examples/auth/basic/ should probably be updated to use SHA hashing.

With the latest update of UBI8 as a base image for some reason I am no longer seeing crypt_r 500 errors using openssl passwd -crypt, only on the empty "auth" test case. It appears that FIPS enforcing mode may not be completely supported by nginx, as some tests like md5 password hashing appear to be passing.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[rikatz]

/remove-lifecycle stale
/lifecycle active
/priority important-longterm

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[rikatz]

/lifecycle frozen
/assign