You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2009/10/19 22:53:04 UTC
svn commit: r826805 - in /httpd/httpd/trunk: CHANGES
docs/manual/programs/htpasswd.xml support/htpasswd.c
Author: sf
Date: Mon Oct 19 20:53:04 2009
New Revision: 826805
URL: http://svn.apache.org/viewvc?rev=826805&view=rev
Log:
Change the default algorithm for htpasswd to MD5 on all platforms. Crypt
with its 8 character limit is not useful anymore.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
httpd/httpd/trunk/support/htpasswd.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=826805&r1=826804&r2=826805&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Mon Oct 19 20:53:04 2009
@@ -10,6 +10,8 @@
mod_proxy_ftp: NULL pointer dereference on error paths.
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
+ *) htpasswd: Use MD5 hash by default on all platforms. [Stefan Fritsch]
+
*) mod_sed: Reduce memory consumption when processing very long lines.
PR 48024 [Basant Kumar Kukreja <basant.kukreja sun.com>]
Modified: httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/programs/htpasswd.xml?rev=826805&r1=826804&r2=826805&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/programs/htpasswd.xml (original)
+++ httpd/httpd/trunk/docs/manual/programs/htpasswd.xml Mon Oct 19 20:53:04 2009
@@ -103,14 +103,12 @@
one) is omitted. It cannot be combined with the <code>-c</code> option.</dd>
<dt><code>-m</code></dt>
- <dd>Use MD5 encryption for passwords. On Windows and Netware, this is
- the default.</dd>
+ <dd>Use MD5 encryption for passwords. This is the default.</dd>
<dt><code>-d</code></dt>
- <dd>Use <code>crypt()</code> encryption for passwords. The default on all
- platforms but Windows and Netware. Though possibly supported by
- <code>htpasswd</code> on all platforms, it is not supported by the
- <program>httpd</program> server on Windows and Netware.</dd>
+ <dd>Use <code>crypt()</code> encryption for passwords. This is not
+ supported by the <program>httpd</program> server on Windows and
+ Netware.</dd>
<dt><code>-s</code></dt>
<dd>Use SHA encryption for passwords. Facilitates migration from/to Netscape
@@ -161,10 +159,9 @@
</example>
<p>Adds or modifies the password for user <code>jsmith</code>. The user
- is prompted for the password. If executed on a Windows system, the password
- will be encrypted using the modified Apache MD5 algorithm; otherwise, the
- system's <code>crypt()</code> routine will be used. If the file does not
- exist, <code>htpasswd</code> will do nothing except return an error.</p>
+ is prompted for the password. The password will be encrypted using the
+ modified Apache MD5 algorithm. If the file does not exist,
+ <code>htpasswd</code> will do nothing except return an error.</p>
<example>
htpasswd -c /home/doe/public_html/.htpasswd jane
@@ -176,11 +173,12 @@
will display a message and return an error status.</p>
<example>
- htpasswd -mb /usr/web/.htpasswd-all jones Pwd4Steve
+ htpasswd -db /usr/web/.htpasswd-all jones Pwd4Steve
</example>
<p>Encrypts the password from the command line (<code>Pwd4Steve</code>)
- using the MD5 algorithm, and stores it in the specified file.</p>
+ using the <code>crypt()</code> algorithm, and stores it in the specified
+ file.</p>
</section>
<section id="security"><title>Security Considerations</title>
Modified: httpd/httpd/trunk/support/htpasswd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htpasswd.c?rev=826805&r1=826804&r2=826805&view=diff
==============================================================================
--- httpd/httpd/trunk/support/htpasswd.c (original)
+++ httpd/httpd/trunk/support/htpasswd.c Mon Oct 19 20:53:04 2009
@@ -243,14 +243,9 @@
apr_file_printf(errfile, " -n Don't update file; display results on "
"stdout." NL);
apr_file_printf(errfile, " -m Force MD5 encryption of the password"
-#if defined(WIN32) || defined(NETWARE)
" (default)"
-#endif
"." NL);
apr_file_printf(errfile, " -d Force CRYPT encryption of the password"
-#if (!(defined(WIN32) || defined(NETWARE)))
- " (default)"
-#endif
"." NL);
apr_file_printf(errfile, " -p Do not encrypt the password (plaintext)." NL);
apr_file_printf(errfile, " -s Force SHA encryption of the password." NL);
@@ -258,10 +253,11 @@
"rather than prompting for it." NL);
apr_file_printf(errfile, " -D Delete the specified user." NL);
apr_file_printf(errfile,
- "On Windows and NetWare systems the '-m' flag is used by "
- "default." NL);
+ "On other systems than Windows and NetWare the '-p' flag will "
+ "probably not work." NL);
apr_file_printf(errfile,
- "On all other systems, the '-p' flag will probably not work." NL);
+ "The SHA algorithm does not use a salt and is less secure than "
+ "the MD5 algorithm." NL);
exit(ERR_SYNTAX);
}
@@ -428,7 +424,7 @@
char *scratch, cp[MAX_STRING_LEN];
int found = 0;
int i;
- int alg = ALG_CRYPT;
+ int alg = ALG_APMD5;
int mask = 0;
apr_pool_t *pool;
int existing_file = 0;
Re: svn commit: r826805 - in /httpd/httpd/trunk: CHANGES docs/manual/programs/htpasswd.xml
support/htpasswd.c
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Why? 2.2 and 2.4 (and 1.3) all support MD5/SHA1/(local implementation of)crypt
except win32 which had no crypt.
The only advantage to MD5 (SHA1) is that pw's are never 8 chars truncated, and
they don't depend on the local crypt implementation, so they don't vary between
boxes.
Jim Jagielski wrote:
> Wouldn't this be Bad Majo for anyone upgrading from 2.2 to 2.4?
>
> On Oct 19, 2009, at 4:53 PM, sf@apache.org wrote:
>
>> Author: sf
>> Date: Mon Oct 19 20:53:04 2009
>> New Revision: 826805
>>
>> URL: http://svn.apache.org/viewvc?rev=826805&view=rev
>> Log:
>> Change the default algorithm for htpasswd to MD5 on all platforms. Crypt
>> with its 8 character limit is not useful anymore.
>>
>
>
>
Re: svn commit: r826805 - in /httpd/httpd/trunk: CHANGES docs/manual/programs/htpasswd.xml support/htpasswd.c
Posted by Jim Jagielski <ji...@jaguNET.com>.
Wouldn't this be Bad Majo for anyone upgrading from 2.2 to 2.4?
On Oct 19, 2009, at 4:53 PM, sf@apache.org wrote:
> Author: sf
> Date: Mon Oct 19 20:53:04 2009
> New Revision: 826805
>
> URL: http://svn.apache.org/viewvc?rev=826805&view=rev
> Log:
> Change the default algorithm for htpasswd to MD5 on all platforms.
> Crypt
> with its 8 character limit is not useful anymore.
>
Re: svn commit: r826805 - in /httpd/httpd/trunk: CHANGES docs/manual/programs/htpasswd.xml support/htpasswd.c
Posted by Stefan Fritsch <sf...@sfritsch.de>.
On Tuesday 20 October 2009, William A. Rowe, Jr. wrote:
> >> Change the default algorithm for htpasswd to MD5 on all
> >> platforms. Crypt with its 8 character limit is not useful
> >> anymore.
> >
> >
> > I think it is odd that an interface change like this would
> > be made without discussion on list. What will it break for
> > existing configs? And if we are going to change the default,
> > then we might as well change it to something other than MD5,
> > or at least use extended crypt when available.
>
> Precisely; at least SHA1 is both portable, and slightly more
> resilient than MD5.
>
I sent a mail [1] to the list in July and nobody responded. Therefore
I assumed that nobody has a strong opinion about this. I am sorry if
this was a mistake.
WRT existing configs, this is not a change I would lightly recommend
for backport to 2.2.x, but for 2.4.x it should be ok. Windows users
had md5 as default for ages, and httpd supports it at least since 2.0.
The SHA1 algorithm in htpasswd does not use seeding and is therefore
vulnerable to dictionary and rainbow table attacks. MD5 is the most
secure algorithm that is currently supported.
I am in favour of adding more secure algorithms (bcrypt?), but those
could not be used as default immediately.
[2] has an (outdated) table with brute force speeds, where apache's
MD5 is one of the slowest algorithms. I would be interested in how
fast modern, GPU using password crackers are for the apache MD5
algorithm. But I haven't found any information about this.
Cheers,
Stefan
[1] http://mail-archives.apache.org/mod_mbox/httpd-
dev/200907.mbox/<38...@www.sfritsch.de>
[2] http://c3rb3r.openwall.net/mdcrack/
Re: svn commit: r826805 - in /httpd/httpd/trunk: CHANGES docs/manual/programs/htpasswd.xml
support/htpasswd.c
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Roy T. Fielding wrote:
> On Oct 19, 2009, at 1:53 PM, sf@apache.org wrote:
>
>> Author: sf
>> Date: Mon Oct 19 20:53:04 2009
>> New Revision: 826805
>>
>> URL: http://svn.apache.org/viewvc?rev=826805&view=rev
>> Log:
>> Change the default algorithm for htpasswd to MD5 on all platforms. Crypt
>> with its 8 character limit is not useful anymore.
>
> I think it is odd that an interface change like this would
> be made without discussion on list. What will it break for
> existing configs? And if we are going to change the default,
> then we might as well change it to something other than MD5,
> or at least use extended crypt when available.
Precisely; at least SHA1 is both portable, and slightly more resilient than MD5.
Re: svn commit: r826805 - in /httpd/httpd/trunk: CHANGES docs/manual/programs/htpasswd.xml support/htpasswd.c
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On Oct 19, 2009, at 1:53 PM, sf@apache.org wrote:
> Author: sf
> Date: Mon Oct 19 20:53:04 2009
> New Revision: 826805
>
> URL: http://svn.apache.org/viewvc?rev=826805&view=rev
> Log:
> Change the default algorithm for htpasswd to MD5 on all platforms.
> Crypt
> with its 8 character limit is not useful anymore.
I think it is odd that an interface change like this would
be made without discussion on list. What will it break for
existing configs? And if we are going to change the default,
then we might as well change it to something other than MD5,
or at least use extended crypt when available.
....Roy