Date: Mon, 08 Sep 2014 20:15:04 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 193469] New: defective crypt() implementation affects Apache 2.4, possibly 2.2 Message-ID: <bug-193469-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193469 Bug ID: 193469 Summary: defective crypt() implementation affects Apache 2.4, possibly 2.2 Product: Ports Tree Version: Latest Hardware: Any OS: Any Status: Needs Triage Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: papowell@astart.com Another port hit by the defective crypt() implementation for FreeBSD 9.3 See Apache documentation for authentication: http://httpd.apache.org/docs/2.2/howto/auth.html and http://httpd.apache.org/docs/2.4/howto/auth.html See password formats for Apache 2.4 http://httpd.apache.org/docs/2.4/misc/password_encryptions.html CRYPT $ htpasswd -nbd myName myPassword myName:rqXexS6ZhobKA And when run on FreeBSD 9.3:htpasswd -nbd myName myPassword myName:$6$Xaxjf5o0$4qAdV/N7OKPGsqM3KuD7D4HkkneCsAz752VFuDfsoRCV15c2AV295cEtBss9X.zErMK0OLYLS2P7pOzpDGGXY1 Question: does Apache 2.4 recognize this format for encrypted passwords? Server version: Apache/2.4.10 (FreeBSD) I put this value into an htpasswd file and discovered that it did not. >From the Apache 2.4 documentation, and the Apache 2.2 documentation is almost identical: There are five formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform: bcrypt "$2y$" + the result of the crypt_blowfish algorithm. See the APR source file crypt_blowfish.c for the details of the algorithm. MD5 "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file apr_md5.c for the details of the algorithm. SHA1 "{SHA}" + Base64-encoded SHA-1 digest of the password. Insecure. CRYPT Unix only. Uses the traditional Unix crypt(3) function with a randomly-generated 32-bit salt (only 12 bits used) and the first 8 characters of the password. Insecure. So it appears that the $6$ is not documented as being valid and using it as an encrypted password value does not work. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-193469-13>