Opened 7 years ago

Closed 7 years ago

Last modified 5 years ago

#382 closed enhancement (wontfix)

RFE - Support for bcrypt hashes

Reported by: Gianluca Varisco Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.3.x
Keywords: Cc:
uname -a:
nginx -V: latest?

Description

Hi everybody.

I'd like to use bcrypt hashes for nginx auth. Is there any plan to support/implement it? According to your official Wiki there's a 3rd party patch for 1.3.14 available at https://gist.github.com/z38/5227024

Apache httpd 2.4.x has implemented it - httpd.apache.org/docs/current/programs/htpasswd.html

Considered the security discussions around SHA schema, would be possible to have this patch merged?

Change History (2)

comment:1 by Maxim Dounin, 7 years ago

Resolution: wontfix
Status: newclosed

All crypt(3) algorithms supported in your OS are available for use in nginx. If you want to use an algorithm which provides extra security, it's a good idea to look into this direction. That is, if you want to use an algorithm - just use it, blowfish crypt algorithm is available on modern OSes.

From portability point of view, there is support for $apr1$ (aka Apache version of phk's md5 crypt algorithm) which is available on all platforms and believed to be sufficiently secure.

As for the patch linked - it is certainly wrong, it tries to modify wrong code (unix one instead of os-independent one), and it also looks like it uses an old algorithm identifier ($2a$ instead of $2y$, see http://openwall.com/crypt/).

comment:2 by harm.verhagen@…, 5 years ago

$apr1$ is md5 slowed down a 1000 times. Thats *not* very secure by todays standard.

I guess you might want to consider reopening this ticket.

Note: See TracTickets for help on using tickets.