httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [PATCH] htdbm: warn crypt-enabled users that plaintext format won't work
Date Mon, 03 Apr 2006 23:53:07 GMT
Taking things one step further, sha1 is far preferred for cryptographic
purposes these days than md5.  Suppose its time to switch?

Bill


Jeff Trawick wrote:
> Index: support/htdbm.c
> ===================================================================
> --- support/htdbm.c     (revision 390811)
> +++ support/htdbm.c     (working copy)
> @@ -308,6 +308,10 @@
>          case ALG_PLAIN:
>              /* XXX this len limitation is not in sync with any HTTPd len. */
>              apr_cpystrn(cpw,htdbm->userpass,sizeof(cpw));
> +#if APR_HAVE_CRYPT_H
> +            fprintf(stderr, "Warning: Plain text passwords aren't
> supported by the "
> +                    "server on this platform!\n");
> +#endif
>          break;
>  #if APR_HAVE_CRYPT_H
>          case ALG_CRYPT:
> 
> FWIW, when you choose crypt() you see "CRYPT is now deprecated, use
> MD5 instead!"
> 
> As I understand the plaintext password issue:
> 
> In the database file, there are special denotations for md5 and sha1
> 
> password hashes, and if there is no denotation then the server expects
> 
> (defaults to) crypt() format.  But on Windows no crypt() function is
> 
> available, so no denotation means plaintext format there.
> 
> 
> 
> 1) design issue: file format doesn't have a delimeter for plain text, so a
> 
> server on Unix has no way to support plaintext passwords
> 
> 
> 
> 2) usability issue: htdbm doesn't warn users on platforms with crypt() that
> 
> it is fruitless to specify plaintext format for password
> 
> 


Mime
View raw message