Modify

Opened 7 years ago

Closed 4 years ago

Last modified 4 years ago

#2282 closed enhancement (fixed)

Make default htpasswd hash type configurable

Reported by: anonymous Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: major Keywords: htpasswd file
Cc: mmitar@…, p_ansell@…, dangb Trac Release: 0.11

Description

Hi,

i installed Account Manager Plugin v 0.1.3dev-r2548 with Trac 0.10.4. The HtpasswdStore component works, but stores the passwords not in md5, but in (i think) crypt hash (e.g. test:KsHASOmJA1c36).

In some docments, a default usage of md5 is stated. But, in my case it is not!

Is the hash generation a python build-in or does it use the command-line tool htpasswd2?

Thx, a lot for your help Ruediger

Attachments (0)

Change History (19)

comment:1 Changed 7 years ago by mgood

What documents are you referring to? The hash generation is done in Python, but follows the behavior of the htpasswd2 tool and generates crypt passwords when possible and md5 passwords otherwise. I don't see anything in the wiki stating that md5 is the default, so I'm not sure what you're asking to have changed.

comment:2 Changed 7 years ago by anonymous

Hi, i refer to the following document: http://threebit.net/mail-archive/trac/msg02575.html

As you commented, it seems as AccountManager generates crypt-passwd per default (in contrast to the old link above).

Is there a possibility to generate md5-passwd-hashes with Account Manager. Is there a option to define the format?

Thx

comment:3 Changed 7 years ago by mgood

  • Summary changed from AccountManager generates no md5 password-hashes to Make default htpasswd hash type configurable
  • Type changed from defect to enhancement

At the time I wrote that message the default behavior was to generate MD5 passwords, but I changed it to use crypt by default in r1517 to be more compatible with the behavior of the Apache htpasswd utility. On Windows MD5 is still the default since crypt is not available.

There is not a configuration option to set the default hashing method. Why do you need to only use MD5 passwords?

comment:4 Changed 7 years ago by anonymous

Our svn repository is currently secured by htpasswd and we built a password data base using md5 Hashes. At the time of generating this pwd-database we did not take the trac environment into account. Thus, it would be nice, if the users can change there passwords on its own. In case of crypt hashes we have to recreate the whole password data base.

Or does it work also with "hybrid" hash files?

Thx Rüdiger

comment:5 Changed 7 years ago by mgood

It's not a problem if the file contains a mix of different types of hashes. Like Apache the plugin figures out which hash method was used on a line-by-line basis.

comment:6 Changed 7 years ago by drleo

  • Priority changed from normal to high
  • Type changed from enhancement to defect

I don't mean to be obnoxious in changing this bug back to defect, and changing its priority. I have added the rationale below. If I misunderstood your comments I apologize.

Users (myself included) have built infrastructure (including other web components that share the same password file) based on the previous default. Thus, an option that allows users to override the new default with the old one is essential. It is a significant hardship to change the configurations of the entire infrastructure to use the new default. Right now my users can't access svn among other essential tools.

Another argument: there are circumstances where more than one platform must authenticate from the same file. So using the default on each platform is not sufficient.

Thanks, Leo.

comment:7 Changed 7 years ago by mgood

  • Priority changed from high to normal
  • Type changed from defect to enhancement

If you need additional flexibility in this tool that's still an enhancement, not a defect. The plugin behaves as described and complies with the htpasswd standard file format.

I don't have much time to work on this plugin these days, so if you can work on a patch it would be greatly appreciated.

comment:8 follow-up: Changed 7 years ago by ante

I've upgraded my server from Winblows to Linux and now I can not use plugin because all passwords are saved in MD5 format. I hope you will make this work in near future.

comment:9 in reply to: ↑ 8 Changed 7 years ago by mgood

Replying to ante:

I've upgraded my server from Winblows to Linux and now I can not use plugin because all passwords are saved in MD5 format. I hope you will make this work in near future.

Please explain. The plugin will read MD5 passwords just fine regardless of what platform you're on, so this should work just fine. The only difference is that when users update their passwords the new value will use the "crypt" format. Htpasswd supports mixing different hashing formats within the same file, so this is not a problem.

comment:10 Changed 7 years ago by ante

When I try to login with MD5 stored password I got incorrect password message, login with CRYPT password works fine.

comment:11 follow-up: Changed 7 years ago by ante

I'll try to explain this way, I have passwords allready stored in svn_pwd.

ante:$apr1$b3BoO...$PFRLvDJSCFcMDwCguKDBa.
testuser:$apr1$iU5.....$2SRd4MCBKFbFuZlHNWHab/
ante1:YDNMS/QpdAX0g

If I go to Trac account prefrences and try to change password for user ante (MD5) I receive error: Error Old Password is incorrect. Password change for user ante1 is OK (crypt).

comment:12 in reply to: ↑ 11 Changed 7 years ago by mgood

Replying to ante:

If I go to Trac account prefrences and try to change password for user ante (MD5) I receive error: Error Old Password is incorrect. Password change for user ante1 is OK (crypt).

I've created #3225 for this since it's not really the same as the request here since it's a problem reading existing passwords rather than the format used by new passwords.

comment:13 follow-up: Changed 6 years ago by Mitar

  • Cc mmitar@… added; anonymous removed

Anything new about this? It would be really great if there would be an option salt_prefix so I could set it to $1$ and I would get MD5 hash type.

The change is simple. Line 67 (s = '') in pwhash.py should be changed to s = salt_prefix.

comment:14 in reply to: ↑ 13 Changed 4 years ago by hasienda

  • Keywords htpasswd file added
  • Owner changed from mgood to hasienda
  • Summary changed from Make default htpasswd hash type configurable to [patch] Make default htpasswd hash type configurable

Replying to Mitar:

Anything new about this? It would be really great if there would be an option salt_prefix so I could set it to $1$ and I would get MD5 hash type.

Yes, since I've taken maintainership of this plugin this week, I'll try to catch up with tickets as good as I can. Thanks for your patience. Still I'd value getting a hint, if this changed to a non-issue by now.

The change is simple. Line 67 (s = '') in pwhash.py should be changed to s = salt_prefix.

Thanks for the hint. I think this is as good as a patch would have been. I will add such an option while preparing more changes to htpasswd file handling.

comment:15 Changed 4 years ago by hasienda

  • Status changed from new to assigned
  • Summary changed from [patch] Make default htpasswd hash type configurable to Make default htpasswd hash type configurable
  • Trac Release changed from 0.10 to 0.11

Well, I've done a slightly different implementation, testing now.

At second thought I disregarded salt_prefix as option name, since it was too internal. I'll use hash_type and map needed salt_prefix settings under the hood, you see?

And while we are at it, why limit to md5? I chose to allow 'sha' as another preset as well. Objections?

Final question: Do we require a backport to 0.10 branch as well?

comment:16 Changed 4 years ago by mitar

Welcome aboard maintainship of this plugin. I am glad!

Great! Of course we should not limit only to md5. By allowing custom prefix we can support any type.

I thin 0.10 is not needed anymore. For those having 0.10 installation they probably already fixed that in some other way.

comment:17 Changed 4 years ago by hasienda

  • Cc p_ansell@… dangb added
  • Severity changed from normal to major

#2031 has been closed as a duplicate of this ticket. Seems there are some more people interested in this feature.

comment:18 Changed 4 years ago by hasienda

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [9274]) AccountManagerPlugin: Force different hash type in htpasswd files by choice, closes #2282.

The new option hash_type is available via acct_mgr config admin UI too. Salt generation is moved from htpasswd() module into new mkhtpasswd(). An old compatibility method for Python <= 2.3 gets removed while doing some code cleanup. And we add a new, long missed unittest for crypt|md5|sha hash creation.

comment:19 Changed 4 years ago by hasienda

#7395 has been closed as a duplicate of this ticket. There is a patch in there suggesting another way to introduce hash type selection.

Add Comment

Modify Ticket

Action
as closed The owner will remain hasienda.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.