Modify

Opened 17 years ago

Closed 14 years ago

Last modified 14 years ago

#2282 closed enhancement (fixed)

Make default htpasswd hash type configurable

Reported by: anonymous Owned by: Steffen Hoffmann
Priority: normal Component: AccountManagerPlugin
Severity: major Keywords: htpasswd file
Cc: Mitar, p_ansell@…, Dan Bucatanschi Trac Release: 0.11

Description

Hi,

i installed Account Manager Plugin v 0.1.3dev-r2548 with Trac 0.10.4. The HtpasswdStore component works, but stores the passwords not in md5, but in (i think) crypt hash (e.g. test:KsHASOmJA1c36).

In some docments, a default usage of md5 is stated. But, in my case it is not!

Is the hash generation a python build-in or does it use the command-line tool htpasswd2?

Thx, a lot for your help Ruediger

Attachments (0)

Change History (19)

comment:1 Changed 17 years ago by Matt Good

What documents are you referring to? The hash generation is done in Python, but follows the behavior of the htpasswd2 tool and generates crypt passwords when possible and md5 passwords otherwise. I don't see anything in the wiki stating that md5 is the default, so I'm not sure what you're asking to have changed.

comment:2 Changed 17 years ago by anonymous

Hi, i refer to the following document: http://threebit.net/mail-archive/trac/msg02575.html

As you commented, it seems as AccountManager generates crypt-passwd per default (in contrast to the old link above).

Is there a possibility to generate md5-passwd-hashes with Account Manager. Is there a option to define the format?

Thx

comment:3 Changed 17 years ago by Matt Good

Summary: AccountManager generates no md5 password-hashesMake default htpasswd hash type configurable
Type: defectenhancement

At the time I wrote that message the default behavior was to generate MD5 passwords, but I changed it to use crypt by default in r1517 to be more compatible with the behavior of the Apache htpasswd utility. On Windows MD5 is still the default since crypt is not available.

There is not a configuration option to set the default hashing method. Why do you need to only use MD5 passwords?

comment:4 Changed 17 years ago by anonymous

Our svn repository is currently secured by htpasswd and we built a password data base using md5 Hashes. At the time of generating this pwd-database we did not take the trac environment into account. Thus, it would be nice, if the users can change there passwords on its own. In case of crypt hashes we have to recreate the whole password data base.

Or does it work also with "hybrid" hash files?

Thx Rüdiger

comment:5 Changed 17 years ago by Matt Good

It's not a problem if the file contains a mix of different types of hashes. Like Apache the plugin figures out which hash method was used on a line-by-line basis.

comment:6 Changed 17 years ago by drleo

Priority: normalhigh
Type: enhancementdefect

I don't mean to be obnoxious in changing this bug back to defect, and changing its priority. I have added the rationale below. If I misunderstood your comments I apologize.

Users (myself included) have built infrastructure (including other web components that share the same password file) based on the previous default. Thus, an option that allows users to override the new default with the old one is essential. It is a significant hardship to change the configurations of the entire infrastructure to use the new default. Right now my users can't access svn among other essential tools.

Another argument: there are circumstances where more than one platform must authenticate from the same file. So using the default on each platform is not sufficient.

Thanks, Leo.

comment:7 Changed 17 years ago by Matt Good

Priority: highnormal
Type: defectenhancement

If you need additional flexibility in this tool that's still an enhancement, not a defect. The plugin behaves as described and complies with the htpasswd standard file format.

I don't have much time to work on this plugin these days, so if you can work on a patch it would be greatly appreciated.

comment:8 Changed 17 years ago by Ante Blašković

I've upgraded my server from Winblows to Linux and now I can not use plugin because all passwords are saved in MD5 format. I hope you will make this work in near future.

comment:9 in reply to:  8 Changed 17 years ago by Matt Good

Replying to ante:

I've upgraded my server from Winblows to Linux and now I can not use plugin because all passwords are saved in MD5 format. I hope you will make this work in near future.

Please explain. The plugin will read MD5 passwords just fine regardless of what platform you're on, so this should work just fine. The only difference is that when users update their passwords the new value will use the "crypt" format. Htpasswd supports mixing different hashing formats within the same file, so this is not a problem.

comment:10 Changed 17 years ago by Ante Blašković

When I try to login with MD5 stored password I got incorrect password message, login with CRYPT password works fine.

comment:11 Changed 17 years ago by Ante Blašković

I'll try to explain this way, I have passwords allready stored in svn_pwd.

ante:$apr1$b3BoO...$PFRLvDJSCFcMDwCguKDBa.
testuser:$apr1$iU5.....$2SRd4MCBKFbFuZlHNWHab/
ante1:YDNMS/QpdAX0g

If I go to Trac account prefrences and try to change password for user ante (MD5) I receive error: Error Old Password is incorrect. Password change for user ante1 is OK (crypt).

comment:12 in reply to:  11 Changed 17 years ago by Matt Good

Replying to ante:

If I go to Trac account prefrences and try to change password for user ante (MD5) I receive error: Error Old Password is incorrect. Password change for user ante1 is OK (crypt).

I've created #3225 for this since it's not really the same as the request here since it's a problem reading existing passwords rather than the format used by new passwords.

comment:13 Changed 16 years ago by Mitar

Cc: Mitar added; anonymous removed

Anything new about this? It would be really great if there would be an option salt_prefix so I could set it to $1$ and I would get MD5 hash type.

The change is simple. Line 67 (s = '') in pwhash.py should be changed to s = salt_prefix.

comment:14 in reply to:  13 Changed 14 years ago by Steffen Hoffmann

Keywords: htpasswd file added
Owner: changed from Matt Good to Steffen Hoffmann
Summary: Make default htpasswd hash type configurable[patch] Make default htpasswd hash type configurable

Replying to Mitar:

Anything new about this? It would be really great if there would be an option salt_prefix so I could set it to $1$ and I would get MD5 hash type.

Yes, since I've taken maintainership of this plugin this week, I'll try to catch up with tickets as good as I can. Thanks for your patience. Still I'd value getting a hint, if this changed to a non-issue by now.

The change is simple. Line 67 (s = '') in pwhash.py should be changed to s = salt_prefix.

Thanks for the hint. I think this is as good as a patch would have been. I will add such an option while preparing more changes to htpasswd file handling.

comment:15 Changed 14 years ago by Steffen Hoffmann

Status: newassigned
Summary: [patch] Make default htpasswd hash type configurableMake default htpasswd hash type configurable
Trac Release: 0.100.11

Well, I've done a slightly different implementation, testing now.

At second thought I disregarded salt_prefix as option name, since it was too internal. I'll use hash_type and map needed salt_prefix settings under the hood, you see?

And while we are at it, why limit to md5? I chose to allow 'sha' as another preset as well. Objections?

Final question: Do we require a backport to 0.10 branch as well?

comment:16 Changed 14 years ago by Mitar

Welcome aboard maintainship of this plugin. I am glad!

Great! Of course we should not limit only to md5. By allowing custom prefix we can support any type.

I thin 0.10 is not needed anymore. For those having 0.10 installation they probably already fixed that in some other way.

comment:17 Changed 14 years ago by Steffen Hoffmann

Cc: p_ansell@… Dan Bucatanschi added
Severity: normalmajor

#2031 has been closed as a duplicate of this ticket. Seems there are some more people interested in this feature.

comment:18 Changed 14 years ago by Steffen Hoffmann

Resolution: fixed
Status: assignedclosed

(In [9274]) AccountManagerPlugin: Force different hash type in htpasswd files by choice, closes #2282.

The new option hash_type is available via acct_mgr config admin UI too. Salt generation is moved from htpasswd() module into new mkhtpasswd(). An old compatibility method for Python <= 2.3 gets removed while doing some code cleanup. And we add a new, long missed unittest for crypt|md5|sha hash creation.

comment:19 Changed 14 years ago by Steffen Hoffmann

#7395 has been closed as a duplicate of this ticket. There is a patch in there suggesting another way to introduce hash type selection.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.