Bug#652010: squid3: ncsa_auth should support MD5 and SHA1 in htpasswd files

Tue, 13 Dec 2011 19:12:23 -0800 

Source: squid3
Severity: normal

Apache's htpasswd tool usefull when manipulating
htpasswd files, supports adding passwords
hashed and saltes with MD5 and SHA.

ncsa_auth should support such hashes.

they look like this

# crypt()  (default or -d)

webserver:/etc/squid3# htpasswd  -bc kolowicze.htpasswd baryluk qwerty; cat
kolowicze.htpasswd
baryluk:Wm7SA6/sc2/Y.
webserver:/etc/squid3# htpasswd  -bc kolowicze.htpasswd baryluk qwerty; cat
kolowicze.htpasswd
baryluk:9e2QjrOR8b1Zc

# SHA  (-s)
webserver:/etc/squid3# htpasswd  -sbc kolowicze.htpasswd baryluk qwerty; cat
kolowicze.htpasswd
baryluk:{SHA}sbN3OgXA7QF2eHpPFXT/AHX3Uh4=
webserver:/etc/squid3# htpasswd  -sbc kolowicze.htpasswd baryluk qwerty; cat
kolowicze.htpasswd
baryluk:{SHA}sbN3OgXA7QF2eHpPFXT/AHX3Uh4=
webserver:/etc/squid3# htpasswd  -sbc kolowicze.htpasswd baryluk qwerty; cat
kolowicze.htpasswd
baryluk:{SHA}sbN3OgXA7QF2eHpPFXT/AHX3Uh4=


# MD5 (-m)
webserver:/etc/squid3# htpasswd  -mbc kolowicze.htpasswd baryluk qwerty; cat
kolowicze.htpasswd
baryluk:$apr1$AL224hHa$mQE4w7ML09ao/0x/264nB1
webserver:/etc/squid3# htpasswd  -mbc kolowicze.htpasswd baryluk qwerty; cat
kolowicze.htpasswd
baryluk:$apr1$kl6cHqe4$yZx7js/Va8hGZ0.AjUncD1
webserver:/etc/squid3# htpasswd  -mbc kolowicze.htpasswd baryluk qwerty; cat
kolowicze.htpasswd
baryluk:$apr1$FTc2dbFw$ZM1oc.grzf4HJFXM62yku.
webserver:/etc/squid3# htpasswd  -mbc kolowicze.htpasswd baryluk qwerty; cat
kolowicze.htpasswd
baryluk:$apr1$7AM4TxwV$Sl1Qo3RRYAMMtVBY/7fBi/

As you can see MD5 and crypt are salted. Adding support
(detection should be easy).

Documentation of httpasswd says

       The  SHA encryption format does not use salting: for a given password,
there is only one encrypted representation.
   The crypt() and MD5 formats per‐
       mute the representation by prepending a random salt string, to make
dictionary attacks against the passwords more difficult.

       The MD5 algorithm used by htpasswd is specific to the Apache software;
passwords encrypted using it will not be usable with other Web servers.


However it is good to have at least MD5 with salting in ncsa_auth. (even if it
is apache-specific).
SHA-256 with salting and variable number of rounds will be best.

Common salting shemes, and text formating them are one
http://www.php.net/manual/pl/function.crypt.php

Regards,
Witek



-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.1.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=pl_PL.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to