Return-Path:
X-Original-To: apmail-httpd-cvs-archive@www.apache.org
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by minotaur.apache.org (Postfix) with SMTP id 884999917
for ;
Fri, 22 Jun 2012 14:57:09 +0000 (UTC)
Received: (qmail 85364 invoked by uid 500); 22 Jun 2012 14:57:09 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 85314 invoked by uid 500); 22 Jun 2012 14:57:09 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help:
list-unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 85306 invoked by uid 99); 22 Jun 2012 14:57:09 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Jun 2012 14:57:09 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=5.0
tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Jun 2012 14:57:08 +0000
Received: from eris.apache.org (localhost [127.0.0.1])
by eris.apache.org (Postfix) with ESMTP id 31A7923889BB;
Fri, 22 Jun 2012 14:56:48 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1352910 - in /httpd/httpd/trunk:
docs/manual/programs/htpasswd.xml support/htpasswd.c
Date: Fri, 22 Jun 2012 14:56:47 -0000
To: cvs@httpd.apache.org
From: sf@apache.org
X-Mailer: svnmailer-1.0.8-patched
Message-Id: <20120622145648.31A7923889BB@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
Author: sf
Date: Fri Jun 22 14:56:44 2012
New Revision: 1352910
URL: http://svn.apache.org/viewvc?rev=1352910&view=rev
Log:
note more prominently that SHA and crypt are insecure
Modified:
httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
httpd/httpd/trunk/support/htpasswd.c
Modified: httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/programs/htpasswd.xml?rev=1352910&r1=1352909&r2=1352910&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/programs/htpasswd.xml (original)
+++ httpd/httpd/trunk/docs/manual/programs/htpasswd.xml Fri Jun 22 14:56:44 2012
@@ -108,11 +108,13 @@ distribution.
-d
Use crypt()
encryption for passwords. This is not
supported by the httpd server on Windows and
- Netware.
+ Netware. This algorithm limits the password length to 8 characters.
+ This algorithm is insecure by today's standards.
-s
Use SHA encryption for passwords. Facilitates migration from/to Netscape
- servers using the LDAP Directory Interchange Format (ldif).
+ servers using the LDAP Directory Interchange Format (ldif).
+ This algorithm is insecure by today's standards.
-p
Use plaintext passwords. Though htpasswd
will support
@@ -200,6 +202,9 @@ distribution.
there is only one encrypted representation. The crypt()
and
MD5 formats permute the representation by prepending a random salt string,
to make dictionary attacks against the passwords more difficult.
+
+ The SHA and crypt()
formats are insecure by today's
+ standards.
Restrictions
Modified: httpd/httpd/trunk/support/htpasswd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htpasswd.c?rev=1352910&r1=1352909&r2=1352910&view=diff
==============================================================================
--- httpd/httpd/trunk/support/htpasswd.c (original)
+++ httpd/httpd/trunk/support/htpasswd.c Fri Jun 22 14:56:44 2012
@@ -283,9 +283,10 @@ static void usage(void)
" (default)"
"." NL);
apr_file_printf(errfile, " -d Force CRYPT encryption of the password"
- "." NL);
+ " (8 chars max, insecure)." NL);
apr_file_printf(errfile, " -p Do not encrypt the password (plaintext)." NL);
- apr_file_printf(errfile, " -s Force SHA encryption of the password." NL);
+ apr_file_printf(errfile, " -s Force SHA encryption of the password"
+ " (insecure)." NL);
apr_file_printf(errfile, " -b Use the password from the command line "
"rather than prompting for it." NL);
apr_file_printf(errfile, " -D Delete the specified user." NL);