Opened 8 years ago
Last modified 6 years ago
#1215 new enhancement
Add support for SHA2 (SHA3?) family for RFC2307 passwords for HTTP Basic authentication
| Reported by: | https://stackoverflow.com/users/573152/bernard-rosset | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.10.x |
| Keywords: | auth Basic | Cc: | |
| uname -a: | Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.10.3
built by gcc 4.9.2 (Debian 4.9.2-10) built with OpenSSL 1.0.1t 3 May 2016 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-file-aio --with-threads --with-ipv6 --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description
The auth_basic_user_file docs state only PLAIN, SHA & SSHA schemes are supported for RFC 2307-formatted passwords.
As the docs also warn, SHA should be avoided (you could actually issue the same warning for SSHA).
It would be best if this directive was supporting at least the versions of password schemes which are considered safe, rather than merely outdated ones, for example SSHA512.
Change History (2)
follow-up: 2 comment:1 by , 6 years ago
comment:2 by , 6 years ago
Replying to zasca@…:
Nginx already supports the
SHA-2, but the docs still need updating.
Docs clearly say that nginx supports passwords encrypted with the crypt() function. This includes all crypt() schemes as supported by your operating system. Note though that using strong crypt() schemes should be carefully thought, as these are designed for UNIX login verification and may require a lot of CPU, while with HTTP basic authentication password checking happens on each request.
This feature request is, however, about RFC 2307 password schemes, and only supported RFC 2307 schemes are {PLAIN}, {SHA}, and {SSHA}. No other RFC 2307 password schemes are currently supported.
Note well that crypt() SHA2-based schemes, $5$ and $6$, are quite different from {SSHA256} and {SSHA512}, as crypt() schemes imply repeated hasing, much like MD5-based $1$ AKA $apr1$, while RFC 2507 schemes aren't. And in terms of bruteforce resistance even MD5-based $1/$apr1$ is much better than {SSHA}, {SSHA256}, or even {SSHA512}.
Nginx already supports the
SHA-2, but the docs still need updating.