apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Bloom <...@covalent.net>
Subject Re: [PATCH] apr_password_validate with LIBEAY des_fcrypt support take 2
Date Mon, 24 Sep 2001 15:42:31 GMT
On Monday 24 September 2001 12:42 pm, Mladen Turk wrote:
> > > > I dislike this.  My concern is that if you take the same binary to
> 2
> > > > different Windows machines, you will get two different results.
> [Mladen Turk]
> Don't we always do :-) ?
> > > > I would prefer to just have APR always use md5 hashes to protect
> passwords.  We
> > > > could basically just document the des option as depricated, and
> only
> > > > provided for backwards compat with older systems.
> [Mladen Turk]
> OK. I can accept that. But could you guys vote on that or whatever is
> needed to make a decision, so that someone willing to help doesn't waste
> time going into dead ends. I don't recall seeing that thoughts before.

The problem is that I didn't start thinking about this problem until this patch.
This is kind of what happens, most of us can't really handle all of the 
bandwidth on the list, so we try to keep an eye on all of the e-mail, but
for the most part we skim it.  Then, when things get closer to fruition, we
try to make sure we see what is happening.  At least that is what I have
been forced to do because of time constraints recently.

> On the other hand why not be able to be a backward compatible on WIN
> too? That is the purpose of the patch I wrote, to enable you to be a
> compatible if that's what you _want_.

But we have never supported DES on Win32, so that doesn't really fit under
backwards compat.

> Backward compatibility IMO should be defined in compile time and stated
> as such in the documentation, so my suggestion is to drop the crypt from
> other platforms too, and live it as a compile-time option, and the
> password validation would be consistent on all platforms.

That is a very valid option.  Let's hear what other people think, and I will
implement it next week, unless there is a veto.

> > > Huh?  Are you suggesting that des is depricated on Win32, or _ALL_
> > > platforms?
> >
> > I'm suggesting that DES is depricated on all platforms, but APR still
> provides
> > a way to use DES on non-windows platforms, for backwards compat.
> [Mladen Turk]
> If MD5 hashing is going to be the only core password protection, then we
> should drop all the other algorithms from the htpasswd utility too.
> Further more IMO if there is passwd_verify then there should be
> passwd_make, just like there is file_create and file_delete. That would
> require only couple of lines of code to wrap the apr_md5_encode, and
> made password management utils a lot simpler and cleaner from user point
> of view.

I need to look at how that would work, but I think it is probably a good idea.


Ryan Bloom				rbb@apache.org
Covalent Technologies			rbb@covalent.net

View raw message