18 messages in ru.sysoev.nginxRe: Error pages/Web Authentication| From | Sent On | Attachments |
|---|---|---|
| HTF | Jun 9, 2011 7:53 am | |
| Maxim Dounin | Jun 9, 2011 9:16 am | |
| HTF | Jun 9, 2011 10:00 am | |
| Maxim Dounin | Jun 9, 2011 10:57 am | |
| HTF | Jun 9, 2011 2:42 pm | |
| António P. P. Almeida | Jun 10, 2011 10:31 am | |
| HTF | Jun 10, 2011 10:47 am | |
| António P. P. Almeida | Jun 10, 2011 10:57 am | |
| HTF | Jun 10, 2011 10:58 am | |
| HTF | Jun 10, 2011 11:12 am | |
| HTF | Jun 11, 2011 1:54 am | |
| Maxim Dounin | Jun 11, 2011 3:28 am | |
| HTF | Jun 14, 2011 8:21 pm | |
| Maxim Dounin | Jun 15, 2011 1:03 am | |
| HTF | Jun 15, 2011 5:33 am | |
| Maxim Dounin | Jun 15, 2011 12:29 pm | |
| tsaavik | Jul 7, 2011 8:13 am | |
| Maxim Dounin | Jul 7, 2011 10:22 am |
| Subject: | Re: Error pages/Web Authentication | |
|---|---|---|
| From: | Maxim Dounin (mdou...@mdounin.ru) | |
| Date: | Jul 7, 2011 10:22:11 am | |
| List: | ru.sysoev.nginx | |
Hello!
On Thu, Jul 07, 2011 at 11:14:27AM -0400, tsaavik wrote:
Maxim Dounin Wrote:
-------------------------------------------------------
1. Does Nginx support SHA encryption for the basic web authentication? When I use -s switch with htpasswd command I can't log in...
I ran into this issue just the other day with htpasswd -s. I noticed that if I modified the output of htpasswd from {SHA} to {SSHA} I was able to use the generated password with nginx 1.0.4.
I wonder if it is feasible to add the following to ngx_crypt.c to be more compatible with the output of htpasswd? Please note, I'm no cryptologist and barely a programmer, but I do sleep in Holiday Inns.
Your patch will work as {SHA} is identical to {SSHA} with an empty salt. But I'm not really sure we want to support {SHA} at all as it's vulnerable to rainbow table attacks and really isn't secure. You shouldn't use it unless you really need compatibility with some old software.
Please also note that $apr1$ (as generated by htpasswd -m, aka apache md5) is *more* secure than both {SHA} and {SSHA}. If you just want something compatible with Apache and secure - use $apr1$ instead.
Maxim Dounin
_______________________________________________ nginx mailing list ngi...@nginx.org http://nginx.org/mailman/listinfo/nginx