webdav-server-rs icon indicating copy to clipboard operation
webdav-server-rs copied to clipboard
verified publisher icon miquels

only insecure htpasswd passwords supported

Open poelzi opened this issue 2 years ago • 2 comments

htpasswd files like generated from apache is not properly supported. The format is:

test:{SHA}Or7xoUzOzSDWzoksvgQq5tdJRsg=

{SHA} is the hashing algorithmus used, can be MD5, SHA, without, the CRYPT function is used.

htpasswd --help
....
 -m  Force MD5 encryption of the password (default).
 -B  Force bcrypt encryption of the password (very secure).
 -C  Set the computing time used for the bcrypt algorithm
     (higher is more secure but slower, default: 5, valid: 4 to 17).
 -d  Force CRYPT encryption of the password (8 chars max, insecure).
 -s  Force SHA encryption of the password (insecure).

Currently, the server uses verify() which does not properly detect anything but crypt, rendering the file unsecure.

poelzi avatar Feb 09 '23 12:02 poelzi

Maybe change to: https://github.com/aQaTL/htpasswd-verify

poelzi avatar Feb 09 '23 12:02 poelzi

I'm using Apache 2.4 with htpasswd -nbB user pass which is generating $2y$05$ which is according to Apache docs bcrypt. I think the issue can be closed.

norpol avatar Sep 09 '23 12:09 norpol