Tags:
create new tag
view all tags

Feature Proposal: libc MD5-crypt passwords for HtPasswdUser.pm

Motivation

crypt() is insecure, md5 passwords use the static $TWiki::cfg{AuthRealm} as a salt (which also seems fragile), the sha1 passwords use no salt.

Description and Documentation

Enable use of standard libc (/etc/shadow) crypt-md5 password (like $1$saltsalt$hashashhashhashhash...$) which are stronger than the crypt paswords, salted, and the salt is stored in the encrypted password string as in normal crypt passwords.

Examples

.htpasswd: 

TestUser:$1$saltIAd2$blahblah43uo6abc7s3xW0:email@domain

Impact

WhatDoesItAffect: Security

Implementation

Add to HtPasswdUser.pm 

    
} elsif ( $TWiki::cfg{Htpasswd}{Encoding} eq 'crypt-md5' ) {
        $salt = $this->fetchPass($login) unless $fresh;
        if ( $fresh || !$salt ) {
            $salt = "";
            foreach (0..7) {
                # generate a salt not only from rand() but also mixing in the users login name: unecessary
                $salt .= $saltchars[(int(rand($#saltchars+1)) + $_ + ord(substr($login , $_ % length($login), 1))) % ($#saltchars+1)];
            }
        }
        return crypt( $passwd, '$1$' . substr( $salt, 0, 8 ) );

-- Contributors: JoshuaCharlesCampbell - 26 May 2008

Discussion

Joshua - I think we should add this to 4.2.1 - but that means it needs a tiny documentation patch, and a TWiki.spec file patch too smile

-- SvenDowideit - 27 May 2008

Normally I would say no new features. But since I learned that current passwords can only be 8 chars I am willing to make an exception to the rule because this will enhance the security of public TWikis and we do have a rule/tradition to include security fixes in patch releases. It is simply common sense to include this.

I am adding todays date to committed date so the proposal starts the 14-day clock.

No need to wait for the 14-days to pass to implement this. I doubt there will be resistance against and worst case reverting 10 lines is trivial.

-- KennethLavrsen - 29 May 2008

Sensible fix. I presume there is no additional dependency?

-- PeterThoeny - 29 May 2008

gah. This patch is woefully incomplete - completed the work and added unit tests. Bugs:Item5823.

-- SvenDowideit - 28 Jul 2008

ChangeProposalForm
TopicClassification FeatureRequest
TopicSummary libc MD5-crypt passwords for HtPasswdUser.pm
CurrentState MergedToCore
CommittedDeveloper JoshuaCharlesCampbell + SvenDowideit
ReasonForDecision AcceptedBy14DayRule
DateOfCommitment 2008-05-29
ConcernRaisedBy

BugTracking Bugs:Item5823
OutstandingIssues

RelatedTopics

InterestedParties

ProposedFor FreetownRelease
TWikiContributors

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2008-07-28 - SvenDowideit
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.