Mailing List Archive: Apache: Dev

Re: svn commit: r392948 - /httpd/httpd/branches/2.2.x/STATUS

Index | Next | Previous | View Threaded

rpluem at apache

Apr 10, 2006, 12:08 PM

Post #1 of 10 (1126 views)
Permalink

Re: svn commit: r392948 - /httpd/httpd/branches/2.2.x/STATUS

On 04/10/2006 03:58 PM, trawick wrote:

> -
> + * htdbm: Warn when the user adds a plaintext password on a platform
> + with crypt(). The server will assume that the format is crypt().
> + Trunk version of patch:
> + http://svn.apache.org/viewcvs?rev=392945&view=rev

I guess you mean r392944 :-).

Regards

Rüdiger

trawick at gmail

Apr 10, 2006, 12:20 PM

Post #2 of 10 (1112 views)
Permalink

Re: svn commit: r392948 - /httpd/httpd/branches/2.2.x/STATUS [In reply to]

On 4/10/06, Ruediger Pluem <rpluem[at]apache.org> wrote:
>
>
> On 04/10/2006 03:58 PM, trawick wrote:
>
> > -
> > + * htdbm: Warn when the user adds a plaintext password on a platform
> > + with crypt(). The server will assume that the format is crypt().
> > + Trunk version of patch:
> > + http://svn.apache.org/viewcvs?rev=392945&view=rev
>
> I guess you mean r392944 :-).

yes :)

nick at webthing

Apr 10, 2006, 1:23 PM

Post #3 of 10 (1104 views)
Permalink

Re: svn commit: r392948 - /httpd/httpd/branches/2.2.x/STATUS [In reply to]

On Monday 10 April 2006 20:20, Jeff Trawick wrote:
> On 4/10/06, Ruediger Pluem <rpluem[at]apache.org> wrote:
> > On 04/10/2006 03:58 PM, trawick wrote:
> > > -
> > > + * htdbm: Warn when the user adds a plaintext password on a
> > > platform + with crypt(). The server will assume that the format
> > > is crypt(). + Trunk version of patch:
> > > + http://svn.apache.org/viewcvs?rev=392945&view=rev
> >

Whilst this is clearly an edge-case, is it necessarily true that any
platform with APR_HAVE_CRYPT won't support plaintext passwords?

Or might it be safer to reword the message as "may not be supported"
or "probably aren't supported"?

--
Nick Kew

wrowe at rowe-clan

Apr 10, 2006, 1:39 PM

Post #4 of 10 (1104 views)
Permalink

Re: svn commit: r392948 - /httpd/httpd/branches/2.2.x/STATUS [In reply to]

Nick Kew wrote:
>
> Whilst this is clearly an edge-case, is it necessarily true that any
> platform with APR_HAVE_CRYPT won't support plaintext passwords?

AIUI - apache has always been an either or - it's either plaintext on
platforms without crypt, or crypt on platforms with such support.

jorge.schrauwen at gmail

Apr 10, 2006, 2:45 PM

Post #5 of 10 (1095 views)
Permalink

Re: svn commit: r392948 - /httpd/httpd/branches/2.2.x/STATUS [In reply to]

I was wondering this too while parsing htpasswd files in php.
all others have a identified in front to see what encrypt it used...
Why doesn't crypt have one?

On 4/10/06, William A. Rowe, Jr. <wrowe[at]rowe-clan.net> wrote:
>
> Nick Kew wrote:
> >
> > Whilst this is clearly an edge-case, is it necessarily true that any
> > platform with APR_HAVE_CRYPT won't support plaintext passwords?
>
> AIUI - apache has always been an either or - it's either plaintext on
> platforms without crypt, or crypt on platforms with such support.
>

--
~Jorge

trawick at gmail

Apr 10, 2006, 4:09 PM

Post #6 of 10 (1107 views)
Permalink

Re: svn commit: r392948 - /httpd/httpd/branches/2.2.x/STATUS [In reply to]

On 4/10/06, William A. Rowe, Jr. <wrowe[at]rowe-clan.net> wrote:
> Nick Kew wrote:
> >
> > Whilst this is clearly an edge-case, is it necessarily true that any
> > platform with APR_HAVE_CRYPT won't support plaintext passwords?
>
> AIUI - apache has always been an either or - it's either plaintext on
> platforms without crypt, or crypt on platforms with such support.

Right; quite bogusly, the file format is even busted... There is a
decoration for md5 hash and a decoration for sha1 has, but no
decoration means:

a) platform-has-crypt - treat the undecorated password hash as
crypt-ed; no provision for plaintext

b) platform-does-not-have-crypt - treat the undecorated password
"hash" as plaintext

wrowe at rowe-clan

Apr 11, 2006, 10:27 AM

Post #7 of 10 (1106 views)
Permalink

Re: svn commit: r392948 - /httpd/httpd/branches/2.2.x/STATUS [In reply to]

Jorge Schrauwen wrote:
> I was wondering this too while parsing htpasswd files in php.
> all others have a identified in front to see what encrypt it used...
> Why doesn't crypt have one?

Because why would anyone have a passwd file that doesn't use crypt()?

Have to remember htpasswd followed the passwd shadow file, and that was always
using crypt. Nobody at the time foresaw a reason to do anything else. The
identifier tags came later. Why plain didn't gain an identifier tag is beyond me.

Bill

jorge.schrauwen at gmail

Apr 11, 2006, 12:34 PM

Post #8 of 10 (1104 views)
Permalink

Re: svn commit: r392948 - /httpd/httpd/branches/2.2.x/STATUS [In reply to]

Thats the problem i think plain and crypt both don't have a Identifier tag,
The since the script will be used on win only i went for always plain text.

Can emulaion crypt on platforms that don't support it? or will this be to
slow?

On 4/11/06, William A. Rowe, Jr. <wrowe[at]rowe-clan.net> wrote:
>
> Jorge Schrauwen wrote:
> > I was wondering this too while parsing htpasswd files in php.
> > all others have a identified in front to see what encrypt it used...
> > Why doesn't crypt have one?
>
> Because why would anyone have a passwd file that doesn't use crypt()?
>
> Have to remember htpasswd followed the passwd shadow file, and that was
> always
> using crypt. Nobody at the time foresaw a reason to do anything
> else. The
> identifier tags came later. Why plain didn't gain an identifier tag is
> beyond me.
>
> Bill
>

--
~Jorge

trawick at gmail

Apr 12, 2006, 4:05 AM

Post #9 of 10 (1104 views)
Permalink

Re: svn commit: r392948 - /httpd/httpd/branches/2.2.x/STATUS [In reply to]

On 4/11/06, Jorge Schrauwen <jorge.schrauwen[at]gmail.com> wrote:
> Can emulaion crypt on platforms that don't support it? or will this be to
> slow?

A crypt() implementation could be provided for these platforms whose
system libraries don't already have it.

wrowe at rowe-clan

Apr 12, 2006, 12:21 PM

Post #10 of 10 (1109 views)
Permalink

Re: svn commit: r392948 - /httpd/httpd/branches/2.2.x/STATUS [In reply to]

Jeff Trawick wrote:
> On 4/11/06, Jorge Schrauwen <jorge.schrauwen[at]gmail.com> wrote:
>
>>Can emulaion crypt on platforms that don't support it? or will this be to
>>slow?
>
> A crypt() implementation could be provided for these platforms whose
> system libraries don't already have it.

This ignores the fact that all crypt()s are far from equivilant. It's a non
portable API (at least from it's binary results.) This is why we choose md5,
and maybe sha1 in the future, as a truly portable solution.

Bill

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com