Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#382 closed enhancement (wontfix)

RFE - Support for bcrypt hashes

Reported by: gianluca.varisco@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.3.x
Keywords: Cc:
uname -a:
nginx -V: latest?

Description

Hi everybody.

I'd like to use bcrypt hashes for nginx auth. Is there any plan to support/implement it? According to your official Wiki there's a 3rd party patch for 1.3.14 available at https://gist.github.com/z38/5227024

Apache httpd 2.4.x has implemented it - httpd.apache.org/docs/current/programs/htpasswd.html

Considered the security discussions around SHA schema, would be possible to have this patch merged?

Change History (2)

comment:1 Changed 6 years ago by mdounin

  • Resolution set to wontfix
  • Status changed from new to closed

All crypt(3) algorithms supported in your OS are available for use in nginx. If you want to use an algorithm which provides extra security, it's a good idea to look into this direction. That is, if you want to use an algorithm - just use it, blowfish crypt algorithm is available on modern OSes.

From portability point of view, there is support for $apr1$ (aka Apache version of phk's md5 crypt algorithm) which is available on all platforms and believed to be sufficiently secure.

As for the patch linked - it is certainly wrong, it tries to modify wrong code (unix one instead of os-independent one), and it also looks like it uses an old algorithm identifier ($2a$ instead of $2y$, see http://openwall.com/crypt/).

comment:2 Changed 4 years ago by harm.verhagen@…

$apr1$ is md5 slowed down a 1000 times. Thats *not* very secure by todays standard.

I guess you might want to consider reopening this ticket.

Note: See TracTickets for help on using tickets.