From dda320f86046f7e77e76d063ac14ef910ff2368c Mon Sep 17 00:00:00 2001
From: Jim Jagielski
Date: Wed, 25 Jul 2012 11:38:19 +0000
Subject: [PATCH] * htpasswd: Note more prominently that SHA and crypt are
insecure. trunk patch:
http://svn.apache.org/viewvc?view=revision&revision=1352910 2.4.x
patch: trunk patch works +1: rjung, humbedooh, jim
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1365528 13f79535-47bb-0310-9956-ffa450edef68
---
STATUS | 6 ------
docs/manual/programs/htpasswd.xml | 9 +++++++--
support/htpasswd.c | 5 +++--
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/STATUS b/STATUS
index 6d4e7dfbbd..bb9a751d02 100644
--- a/STATUS
+++ b/STATUS
@@ -110,12 +110,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
+1: rjung, jorton, jim
rjung: sf: you applied it to trunk, care to vote?
- * htpasswd: Note more prominently that SHA and crypt are insecure.
- trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1352910
- 2.4.x patch: trunk patch works
- +1: rjung, humbedooh, jim
- rjung: sf: you applied it to trunk, care to vote?
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
diff --git a/docs/manual/programs/htpasswd.xml b/docs/manual/programs/htpasswd.xml
index f08caf37c7..b254e141d4 100644
--- a/docs/manual/programs/htpasswd.xml
+++ b/docs/manual/programs/htpasswd.xml
@@ -108,11 +108,13 @@ distribution.
-d
Use crypt()
encryption for passwords. This is not
supported by the httpd server on Windows and
- Netware.
+ Netware. This algorithm limits the password length to 8 characters.
+ This algorithm is insecure by today's standards.
-s
Use SHA encryption for passwords. Facilitates migration from/to Netscape
- servers using the LDAP Directory Interchange Format (ldif).
+ servers using the LDAP Directory Interchange Format (ldif).
+ This algorithm is insecure by today's standards.
-p
Use plaintext passwords. Though htpasswd
will support
@@ -200,6 +202,9 @@ distribution.
there is only one encrypted representation. The crypt()
and
MD5 formats permute the representation by prepending a random salt string,
to make dictionary attacks against the passwords more difficult.
+
+ The SHA and crypt()
formats are insecure by today's
+ standards.
Restrictions
diff --git a/support/htpasswd.c b/support/htpasswd.c
index 16e55a0630..993ce625e3 100644
--- a/support/htpasswd.c
+++ b/support/htpasswd.c
@@ -283,9 +283,10 @@ static void usage(void)
" (default)"
"." NL);
apr_file_printf(errfile, " -d Force CRYPT encryption of the password"
- "." NL);
+ " (8 chars max, insecure)." NL);
apr_file_printf(errfile, " -p Do not encrypt the password (plaintext)." NL);
- apr_file_printf(errfile, " -s Force SHA encryption of the password." NL);
+ apr_file_printf(errfile, " -s Force SHA encryption of the password"
+ " (insecure)." NL);
apr_file_printf(errfile, " -b Use the password from the command line "
"rather than prompting for it." NL);
apr_file_printf(errfile, " -D Delete the specified user." NL);