LXC-Web-Panel icon indicating copy to clipboard operation
LXC-Web-Panel copied to clipboard

Published 20 hours ago verified publisher icon claudyus

please don't default to crypt

Open FlorianHeigl opened this issue 10 years ago • 1 comments

Hi,

in the readme it says:

This backend use the crypt function, here an example where -d force the use of crypt encryption when generating the htpasswd file:

  • this application is running with root permissions
  • has access to all containers
  • has access to the base system

Please at least have your documentation not run people right into the most insecure encryption they could use. Maybe rather show how to do it with auth on the frontend webserver if it's too hard to change in lxc?

FlorianHeigl avatar Nov 10 '15 15:11 FlorianHeigl

Hi @FlorianHeigl thanks for your comment. The htpasswd backend was proposed by @mihu and is now in https://github.com/claudyus/LXC-Web-Panel/blob/master/lwp/authenticators/htpasswd.py

Feel free to propose a PR to improve it.

I don't see any security problem in using crypt to store passwd here. If your lxc host is compromised by an attacker (and he can read the htpasswd file) reverse the encryption to retrieve the lwp password is the less dangerous thing that the attacker can do.

claudyus avatar Jan 31 '16 17:01 claudyus