Ticket #1059 (closed defect: fixed)

Opened 2 years ago

Last modified 8 months ago

HtPasswdStore doesn't recognize Blowfish hashes

Reported by: anonymous Assigned to: mgood
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.10

Description

On my FreeBSD Sparc box, the HtPasswdStore? wouldn't work with crypt()ed htpasswd files generated by Apache's own htpasswd binary. Once I forced the passwords to be SHAsums, HtPasswdStore? worked fine.

Attachments

htpasswd (150 bytes) - added by anonymous on 12/29/06 22:41:10.
Htpasswd on FreeBSD Sparc

Change History

12/29/06 22:41:10 changed by anonymous

  • attachment htpasswd added.

Htpasswd on FreeBSD Sparc

12/29/06 22:41:36 changed by anonymous

Actually, HtPasswdStore? doesn't work at all, when it comes to things like Adding New Users in the AccountManagerAdminPage?. Again, if I force Apache's htpasswd to use SHA (I've not tried MD5, I imagine it works as well) to make a new password, it works fine. I am worried that users will try to change their passwords and make it impossible to log in... Perhaps BSD does crypt(3) different than other unices?

12/30/06 15:36:50 changed by mgood

  • keywords set to needinfo.
  • summary changed from HtPasswdStore doesn't work to HtPasswdStore doesn't recognize Blowfish hashes.

Based on the hash in your htpasswd file your system is using a Blowfish-based crypt scheme.

How does the Python crypt module compare to what htpasswd is outputting? This is what I get from the standard DES-based crypt on my system: 

$ python -c 'import crypt; print crypt.crypt("password", "AB")'
ABRCL9ijBr2LY

Do you see the same output, or does that also produce a Blowfish-based hash?

12/30/06 20:20:52 changed by anonymous

Gah, you're completely right: I'm using Blowfish. "$2a$04$A..F9d99wOC......BtGC.qtucOVLTvYLiR2gJFuDhVbL9gb.d/lq" is what I get. Anything I can do about this? I can't change the system I'm on.

12/30/06 21:20:49 changed by mgood

Ok, try this: 

$ python -c 'import crypt; x = crypt.crypt("password", "AB"); print x == crypt.crypt("password", x)'
True

The plugin is currently assuming that there are only 2 bytes of salt at the beginning of the hash. Based on the docs for the Python crypt module it appears that it should be possible to feed the whole hash and the underlying crypt implementation should handle this correctly. If the command above prints "True" this should only require a small patch to correct.

(follow-up: ↓ 6 ) 12/30/06 23:43:52 changed by anonymous

It prints True! Thanks for putting up with me,anyhow.

(in reply to: ↑ 5 ) 01/03/07 10:36:13 changed by mgood

  • keywords deleted.
  • status changed from new to assigned.

Replying to anonymous:

It prints True! Thanks for putting up with me,anyhow.

Thanks for helping debug this.

01/03/07 10:38:18 changed by mgood

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [1844]) use the full hash when checking crypt-ed passwords since some implementations differ in salt values (fixes #1059)

Add/Change #1059 (HtPasswdStore doesn't recognize Blowfish hashes)




Change Properties
Action