#2282 closed enhancement (fixed)
Make default htpasswd hash type configurable
Reported by: | anonymous | Owned by: | Steffen Hoffmann |
---|---|---|---|
Priority: | normal | Component: | AccountManagerPlugin |
Severity: | major | Keywords: | htpasswd file |
Cc: | Mitar, p_ansell@…, Dan Bucatanschi | Trac Release: | 0.11 |
Description
Hi,
i installed Account Manager Plugin v 0.1.3dev-r2548 with Trac 0.10.4. The HtpasswdStore component works, but stores the passwords not in md5, but in (i think) crypt hash (e.g. test:KsHASOmJA1c36).
In some docments, a default usage of md5 is stated. But, in my case it is not!
Is the hash generation a python build-in or does it use the command-line tool htpasswd2?
Thx, a lot for your help Ruediger
Attachments (0)
Change History (19)
comment:1 Changed 17 years ago by
comment:2 Changed 17 years ago by
Hi, i refer to the following document: http://threebit.net/mail-archive/trac/msg02575.html
As you commented, it seems as AccountManager generates crypt-passwd per default (in contrast to the old link above).
Is there a possibility to generate md5-passwd-hashes with Account Manager. Is there a option to define the format?
Thx
comment:3 Changed 17 years ago by
Summary: | AccountManager generates no md5 password-hashes → Make default htpasswd hash type configurable |
---|---|
Type: | defect → enhancement |
At the time I wrote that message the default behavior was to generate MD5 passwords, but I changed it to use crypt by default in r1517 to be more compatible with the behavior of the Apache htpasswd utility. On Windows MD5 is still the default since crypt is not available.
There is not a configuration option to set the default hashing method. Why do you need to only use MD5 passwords?
comment:4 Changed 17 years ago by
Our svn repository is currently secured by htpasswd and we built a password data base using md5 Hashes. At the time of generating this pwd-database we did not take the trac environment into account. Thus, it would be nice, if the users can change there passwords on its own. In case of crypt hashes we have to recreate the whole password data base.
Or does it work also with "hybrid" hash files?
Thx Rüdiger
comment:5 Changed 17 years ago by
It's not a problem if the file contains a mix of different types of hashes. Like Apache the plugin figures out which hash method was used on a line-by-line basis.
comment:6 Changed 17 years ago by
Priority: | normal → high |
---|---|
Type: | enhancement → defect |
I don't mean to be obnoxious in changing this bug back to defect, and changing its priority. I have added the rationale below. If I misunderstood your comments I apologize.
Users (myself included) have built infrastructure (including other web components that share the same password file) based on the previous default. Thus, an option that allows users to override the new default with the old one is essential. It is a significant hardship to change the configurations of the entire infrastructure to use the new default. Right now my users can't access svn among other essential tools.
Another argument: there are circumstances where more than one platform must authenticate from the same file. So using the default on each platform is not sufficient.
Thanks, Leo.
comment:7 Changed 17 years ago by
Priority: | high → normal |
---|---|
Type: | defect → enhancement |
If you need additional flexibility in this tool that's still an enhancement, not a defect. The plugin behaves as described and complies with the htpasswd standard file format.
I don't have much time to work on this plugin these days, so if you can work on a patch it would be greatly appreciated.
comment:8 follow-up: 9 Changed 17 years ago by
I've upgraded my server from Winblows to Linux and now I can not use plugin because all passwords are saved in MD5 format. I hope you will make this work in near future.
comment:9 Changed 17 years ago by
Replying to ante:
I've upgraded my server from Winblows to Linux and now I can not use plugin because all passwords are saved in MD5 format. I hope you will make this work in near future.
Please explain. The plugin will read MD5 passwords just fine regardless of what platform you're on, so this should work just fine. The only difference is that when users update their passwords the new value will use the "crypt" format. Htpasswd supports mixing different hashing formats within the same file, so this is not a problem.
comment:10 Changed 17 years ago by
When I try to login with MD5 stored password I got incorrect password message, login with CRYPT password works fine.
comment:11 follow-up: 12 Changed 17 years ago by
I'll try to explain this way, I have passwords allready stored in svn_pwd.
ante:$apr1$b3BoO...$PFRLvDJSCFcMDwCguKDBa. testuser:$apr1$iU5.....$2SRd4MCBKFbFuZlHNWHab/ ante1:YDNMS/QpdAX0g
If I go to Trac account prefrences and try to change password for user ante (MD5) I receive error: Error Old Password is incorrect. Password change for user ante1 is OK (crypt).
comment:12 Changed 17 years ago by
Replying to ante:
If I go to Trac account prefrences and try to change password for user ante (MD5) I receive error: Error Old Password is incorrect. Password change for user ante1 is OK (crypt).
I've created #3225 for this since it's not really the same as the request here since it's a problem reading existing passwords rather than the format used by new passwords.
comment:13 follow-up: 14 Changed 16 years ago by
Cc: | Mitar added; anonymous removed |
---|
Anything new about this? It would be really great if there would be an option salt_prefix
so I could set it to $1$
and I would get MD5 hash type.
The change is simple. Line 67 (s = ''
) in pwhash.py should be changed to s = salt_prefix
.
comment:14 Changed 14 years ago by
Keywords: | htpasswd file added |
---|---|
Owner: | changed from Matt Good to Steffen Hoffmann |
Summary: | Make default htpasswd hash type configurable → [patch] Make default htpasswd hash type configurable |
Replying to Mitar:
Anything new about this? It would be really great if there would be an option
salt_prefix
so I could set it to$1$
and I would get MD5 hash type.
Yes, since I've taken maintainership of this plugin this week, I'll try to catch up with tickets as good as I can. Thanks for your patience. Still I'd value getting a hint, if this changed to a non-issue by now.
The change is simple. Line 67 (
s = ''
) in pwhash.py should be changed tos = salt_prefix
.
Thanks for the hint. I think this is as good as a patch would have been. I will add such an option while preparing more changes to htpasswd file handling.
comment:15 Changed 14 years ago by
Status: | new → assigned |
---|---|
Summary: | [patch] Make default htpasswd hash type configurable → Make default htpasswd hash type configurable |
Trac Release: | 0.10 → 0.11 |
Well, I've done a slightly different implementation, testing now.
At second thought I disregarded salt_prefix
as option name, since it was too internal. I'll use hash_type
and map needed salt_prefix settings under the hood, you see?
And while we are at it, why limit to md5? I chose to allow 'sha' as another preset as well. Objections?
Final question: Do we require a backport to 0.10 branch as well?
comment:16 Changed 14 years ago by
Welcome aboard maintainship of this plugin. I am glad!
Great! Of course we should not limit only to md5. By allowing custom prefix we can support any type.
I thin 0.10 is not needed anymore. For those having 0.10 installation they probably already fixed that in some other way.
comment:17 Changed 14 years ago by
Cc: | p_ansell@… Dan Bucatanschi added |
---|---|
Severity: | normal → major |
#2031 has been closed as a duplicate of this ticket. Seems there are some more people interested in this feature.
comment:18 Changed 14 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
(In [9274]) AccountManagerPlugin: Force different hash type in htpasswd files by choice, closes #2282.
The new option hash_type is available via acct_mgr config admin UI too. Salt generation is moved from htpasswd() module into new mkhtpasswd(). An old compatibility method for Python <= 2.3 gets removed while doing some code cleanup. And we add a new, long missed unittest for crypt|md5|sha hash creation.
comment:19 Changed 14 years ago by
#7395 has been closed as a duplicate of this ticket. There is a patch in there suggesting another way to introduce hash type selection.
What documents are you referring to? The hash generation is done in Python, but follows the behavior of the htpasswd2 tool and generates crypt passwords when possible and md5 passwords otherwise. I don't see anything in the wiki stating that md5 is the default, so I'm not sure what you're asking to have changed.