httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <mar...@apache.org>
Subject [PATCH] htpasswd.c: New -S<salt> option?
Date Mon, 03 Sep 2007 12:13:20 GMT
The Topics addressed in this patch are:

* As a debugging aid, the salt can be preseeded by specifying the
  base64-string to use:
    $ htpasswd -S ........ -nb Apache Apache
    Apache:..TowpWtYvRfQ
  which allows regression testing of the various salted password
  algorithms crypt() and md5. It is debatable whether the switch
  should be called -S<salt> (there is a lower-case -s switch
  already).

* The salt for md5, when generated automatically, now uses 8 bytes of
  pseudo-random data instead of 4. Not that they contain more entropy,
  but at least they make brute-force attacks *much* more difficult.
  Before, the upper 32 bits were zero in the 48 bit number used for
  initialization of the salt (8 bytes output, each one shifting the
  random number right by 6 bits). In a present version of htpasswd,
  you can see the missing initialization as a run of 3 or 4 '.'
  characters in the salt string (before the 3rd '$ char):
    $ htpasswd -nbm Apache Apache
    Apache:$apr1$mV/um...$Nz1nYy20Cd3TywjHU74I6.

* The usage() function now takes an optional errstr, explaining why
  htpasswd decided to exit. This may improve the user interface in
  situations where certain switch combinations caused an exit via
  usage().

WDYT?

  Martin
-- 
<Martin.Kraemer@Fujitsu-Siemens.com>        |     Fujitsu Siemens
http://www.fujitsu-siemens.com/imprint.html | 81730  Munich,  Germany

Mime
View raw message