[Bug 193469] New: defective crypt() implementation affects Apache 2.4, possibly 2.2

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Mon Sep 8 20:15:04 UTC 2014 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193469

            Bug ID: 193469
           Summary: defective crypt() implementation affects Apache 2.4,
                    possibly 2.2
           Product: Ports Tree
           Version: Latest
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: papowell at astart.com

Another port hit by the defective crypt() implementation for FreeBSD 9.3

See Apache documentation for authentication:

http://httpd.apache.org/docs/2.2/howto/auth.html
and http://httpd.apache.org/docs/2.4/howto/auth.html

See password formats for Apache 2.4
http://httpd.apache.org/docs/2.4/misc/password_encryptions.html

CRYPT

$ htpasswd -nbd myName myPassword
myName:rqXexS6ZhobKA 

And when run on FreeBSD 9.3:htpasswd -nbd myName myPassword
myName:$6$Xaxjf5o0$4qAdV/N7OKPGsqM3KuD7D4HkkneCsAz752VFuDfsoRCV15c2AV295cEtBss9X.zErMK0OLYLS2P7pOzpDGGXY1

Question: does Apache 2.4 recognize this format for encrypted passwords?
Server version: Apache/2.4.10 (FreeBSD)

I put this value into an htpasswd file and discovered that it did not.

>From the Apache 2.4 documentation,  and the Apache 2.2 documentation is
almost identical:


There are five formats that Apache recognizes for basic-authentication
passwords. Note that not all formats work on every platform:

bcrypt
    "$2y$" + the result of the crypt_blowfish algorithm. See the APR source
file crypt_blowfish.c for the details of the algorithm.
MD5
    "$apr1$" + the result of an Apache-specific algorithm using an iterated
(1,000 times) MD5 digest of various combinations of a random 32-bit salt and
the password. See the APR source file apr_md5.c for the details of the
algorithm.
SHA1
    "{SHA}" + Base64-encoded SHA-1 digest of the password. Insecure.
CRYPT
    Unix only. Uses the traditional Unix crypt(3) function with a
randomly-generated 32-bit salt (only 12 bits used) and the first 8 characters
of the password. Insecure.

So it appears that the $6$ is not documented as being valid and using it as an
encrypted password value does not work.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list