httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53410] New: SHA-2 password hashes with more than 9999 rounds not accepted
Date Wed, 13 Jun 2012 16:19:27 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53410

          Priority: P2
            Bug ID: 53410
          Assignee: bugs@httpd.apache.org
           Summary: SHA-2 password hashes with more than 9999 rounds not
                    accepted
          Severity: normal
    Classification: Unclassified
                OS: Linux
          Reporter: jasonovich@mailfish.de
          Hardware: PC
            Status: NEW
           Version: 2.2.17
         Component: Core
           Product: Apache httpd-2

I created two SHA-512 password hashes for the password "foobar" with the
crypt() function under Fedora 14, one using 9999 rounds, the other using 10000
rounds:

crypt("foobar", "$6$rounds=9999$IOm.N/WPP/0qRkWo");
crypt("foobar", "$6$rounds=10000$IOm.N/WPP/0qRkWo");

I added the results to a password file for basic authentication:

user1:$6$rounds=9999$IOm.N/WPP/0qRkWo$FMP6X5bcfVQX5IC6U7Kw5RIJn/s.MbMZ/LFf1Lt7fzqb.5vlofDv5e47UEWZM/fdsOd3jgJDhHdrnTOswZH4X1
user2:$6$rounds=10000$IOm.N/WPP/0qRkWo$jVJRXlMEcoIcoX3zyE8k/CPESF/2Tm5qLz/Z0koPDz6XklE0g8j.5S0C2YUwU1j0lBQEXH2t/5ygsGDA8yxl8/

The 10000 rounds hash is not accepted by Apache ("Password Mismatch" in the
error.log) although apr_password_validate() from apr_md5.c uses the system's
crypt()/crypt_r() functions.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message