Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 4314 invoked by uid 6000); 2 Feb 1999 19:02:08 -0000
Received: (qmail 4273 invoked from network); 2 Feb 1999 19:02:06 -0000
Received: from smtp.lerdorf.on.ca (HELO sunlab.bellglobal.com)
 (199.243.250.75)
  by taz.hyperreal.org with SMTP; 2 Feb 1999 19:02:06 -0000
Received: from collective.lerdorf.on.ca (collective.lerdorf.on.ca
 [207.164.141.23])
	by sunlab.bellglobal.com (8.9.1/8.8.8) with ESMTP id OAA06517
	for <new-httpd@apache.org>; Tue, 2 Feb 1999 14:03:44 -0500 (EST)
Date: Tue, 2 Feb 1999 14:01:40 -0500 (Eastern Standard Time)
From: Rasmus Lerdorf <rasmus@lerdorf.on.ca>
To: new-httpd@apache.org
Subject: Re: basic auth broken
In-Reply-To: <36B72DE6.53EA04F@Golux.Com>
Message-ID: <Pine.WNT.4.05.9902021359130.-159629@helium.jetpen.com>
X-X-Sender: rasmus@imap3.bellglobal.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

> So it sounds as though we should branch off and not try to
> make our portable passwords be recognisable as using the
> same algorithm as anyone else's.  I.e., use our own unique
> significator (and beef up our encyption a bit).  If it happens
> that ours is identical to FreeBSD's, at least we're not
> claiming it's the same as any other MD5 algorithm.
> 
> How about directly copying FreeBSD's, but changing the format
> to '$apr1$<salt>$<hash>'?  That gives some room for
> growth.

I think that would be safe.  And if you use the same length of SALT as the
FreeBSD implementation, if someone really needed to migrate a password
file from one to the other they could simply do a s/apr1/1/
and it should work.

-Rasmus