Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

only insecure htpasswd passwords supported #22

Open
poelzi opened this issue Feb 9, 2023 · 2 comments
Open

only insecure htpasswd passwords supported #22

poelzi opened this issue Feb 9, 2023 · 2 comments

Comments

@poelzi
Copy link

poelzi commented Feb 9, 2023

htpasswd files like generated from apache is not properly supported.
The format is:

test:{SHA}Or7xoUzOzSDWzoksvgQq5tdJRsg=

{SHA} is the hashing algorithmus used, can be MD5, SHA, without, the CRYPT function is used.

htpasswd --help
....
 -m  Force MD5 encryption of the password (default).
 -B  Force bcrypt encryption of the password (very secure).
 -C  Set the computing time used for the bcrypt algorithm
     (higher is more secure but slower, default: 5, valid: 4 to 17).
 -d  Force CRYPT encryption of the password (8 chars max, insecure).
 -s  Force SHA encryption of the password (insecure).

Currently, the server uses verify() which does not properly detect anything but crypt, rendering the file unsecure.
@poelzi
Copy link
Author

poelzi commented Feb 9, 2023

Maybe change to: https://github.com/aQaTL/htpasswd-verify

@norpol
Copy link

norpol commented Sep 9, 2023
edited
Loading

I'm using Apache 2.4 with htpasswd -nbB user pass which is generating $2y$05$ which is according to Apache docs bcrypt. I think the issue can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@poelzi @norpol