You are here: TWiki> Codev Web>ChangeProposal>FeatureRequest>HtPasswdLibcMD5CryptPasswords (2008-07-28, SvenDowideit)
Tags:
create new tag
, view all tags

Feature Proposal: libc MD5-crypt passwords for HtPasswdUser.pm

Motivation

crypt() is insecure, md5 passwords use the static $TWiki::cfg{AuthRealm} as a salt (which also seems fragile), the sha1 passwords use no salt.

Description and Documentation

Enable use of standard libc (/etc/shadow) crypt-md5 password (like $1$saltsalt$hashashhashhashhash...$) which are stronger than the crypt paswords, salted, and the salt is stored in the encrypted password string as in normal crypt passwords.

Examples

.htpasswd: 

TestUser:$1$saltIAd2$blahblah43uo6abc7s3xW0:email@domain

Impact

WhatDoesItAffect: Security

Implementation

Add to HtPasswdUser .pm 

    
} elsif ( $TWiki::cfg{Htpasswd}{Encoding} eq 'crypt-md5' ) {
        $salt = $this->fetchPass($login) unless $fresh;
        if ( $fresh || !$salt ) {
            $salt = "";
            foreach (0..7) {
                # generate a salt not only from rand() but also mixing in the users login name: unecessary
                $salt .= $saltchars[(int(rand($#saltchars+1)) + $_ + ord(substr($login , $_ % length($login), 1))) % ($#saltchars+1)];
            }
        }
        return crypt( $passwd, '$1$' . substr( $salt, 0, 8 ) );

-- Contributors: JoshuaCharlesCampbell - 26 May 2008

Discussion

Joshua - I think we should add this to 4.2.1 - but that means it needs a tiny documentation patch, and a TWiki.spec file patch too smile

-- SvenDowideit - 27 May 2008

Normally I would say no new features. But since I learned that current passwords can only be 8 chars I am willing to make an exception to the rule because this will enhance the security of public TWikis and we do have a rule/tradition to include security fixes in patch releases. It is simply common sense to include this.

I am adding todays date to committed date so the proposal starts the 14-day clock.

No need to wait for the 14-days to pass to implement this. I doubt there will be resistance against and worst case reverting 10 lines is trivial.

-- KennethLavrsen - 29 May 2008

Sensible fix. I presume there is no additional dependency?

-- PeterThoeny - 29 May 2008

gah. This patch is woefully incomplete - completed the work and added unit tests. Bugs:Item5823.

-- SvenDowideit - 28 Jul 2008

 
ChangeProposalForm
TopicClassification FeatureRequest
TopicSummary libc MD5-crypt passwords for HtPasswdUser .pm
CurrentState MergedToCore
CommittedDeveloper JoshuaCharlesCampbell + SvenDowideit
ReasonForDecision AcceptedBy14DayRule
DateOfCommitment 2008-05-29
ConcernRaisedBy

BugTracking Bugs:Item5823
OutstandingIssues

RelatedTopics

InterestedParties

ProposedFor FreetownRelease
TWikiContributors

Edit | Attach | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2008-07-28 - 04:45:58 - SvenDowideit
 

Codev

share: Twitter Delicious Facebook Digg Google Bookmarks E-mail LinkedIn Reddit StumbleUpon
Edit Attach

Twiki, Inc.
This site is powered by the TWiki collaboration platform
Ideas, requests, problems regarding TWiki? Send feedback
Copyright © 1999-2010 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.