Feature #11365: Change Webrick to support SHA htpasswd files - Ruby master - Ruby Issue Tracking System

Custom queries

Backport 3.0
Backport 3.1
Backport 3.2
Backport 3.3
bugs: unassigned
DevMeeting
matz
Open issues with attachment

Actions

Copy link

Feature #11365

closed

Change Webrick to support SHA htpasswd files

Added by jeremyevans0 (Jeremy Evans) almost 9 years ago. Updated over 6 years ago.

Status:

Closed

Assignee:

normalperson (Eric Wong)

Target version:

[ruby-core:70017]

Description

This changes Webrick to default to creating SHA htpasswd files.
It also changes Webrick to support reading SHA htpasswd files,
in addition to supporting the previous crypt password files.

Among other things, this allows Webrick's htpasswd support to
work on OpenBSD, which does not support insecure DES-based
passwords in crypt(3).

Files

0003-Change-Webrick-to-support-SHA-htpasswd-files.patch (3.62 KB) 0003-Change-Webrick-to-support-SHA-htpasswd-files.patch

jeremyevans0 (Jeremy Evans), 07/17/2015 09:34 PM

History
Notes
Property changes

Actions

Copy link

#1 [ruby-core:82862]

Updated by hsbt (Hiroshi SHIBATA) over 6 years ago

Status changed from Open to Assigned
Assignee set to normalperson (Eric Wong)

Actions

Copy link

#2 [ruby-core:82866]

Updated by normalperson (Eric Wong) over 6 years ago

hsbt@ruby-lang.org wrote:

Issue #11365 has been updated by hsbt (Hiroshi SHIBATA).

Status changed from Open to Assigned
Assignee set to normalperson (Eric Wong)

Feature #11365: Change Webrick to support SHA htpasswd files
https://bugs.ruby-lang.org/issues/11365#change-66759

This changes Webrick to default to creating SHA htpasswd files.
It also changes Webrick to support reading SHA htpasswd files,
in addition to supporting the previous crypt password files.

We must keep tests for crypt htpasswd files to ensure existing
files continue working.

Among other things, this allows Webrick's htpasswd support to
work on OpenBSD, which does not support insecure DES-based
passwords in crypt(3).

This is an old issue; and nowadays SHA-1 is on it's way out...
Should we be looking at SHA-256 or something? (not a crypto expert)

Thanks.

Btw, (anybody) feel free to re-ping me (+Cc) in case I forget
about this after a few days. I didn't notice this until just
now, I'm a new WEBrick maintainer, and sometimes Subject lines
are too long for my tiny attention span :x

Actions

Copy link

Updated by jeremyevans0 (Jeremy Evans) over 6 years ago

Status changed from Assigned to Closed

normalperson (Eric Wong) wrote:

This is an old issue; and nowadays SHA-1 is on it's way out...
Should we be looking at SHA-256 or something? (not a crypto expert)

I didn't think SHA-256 was supported in .htpasswd files. I suppose we could roll our own, but I figured the only reason crypt(3) was used was for compatibility with Apache .htpasswd files. According to the Apache documentation, there are 5 options for password formats (see https://httpd.apache.org/docs/2.4/misc/password_encryptions.html):

bcrypt
custom MD5
SHA1
crypt(3)
plaintext

I don't believe ruby supports bcrypt in the stdlib. I would be 100% for adding bcrypt support to the stdlib and using it in Webrick, but that's a larger change.

The custom MD5 solution was Apache specific and fairly complex, and I didn't want to implement it.

Apache labels the SHA1 support "insecure". It's unsalted, so weak passwords would fall quickly to a rainbow table attack. While the first SHA1 collision attack was reported earlier this year, I don't believe anyone has shown an SHA1 preimage attack (where you can find a matching password given the hash), so it isn't truly insecure for very strong passwords (say 12 random characters).

Anyway, things have changed since I first put together this patch. I no longer think it makes sense to add support to Webrick for anything besides bcrypt. Because bcrypt isn't currently in the stdlib, I think this can be closed.

Actions

Copy link

#4 [ruby-core:82879]

Updated by normalperson (Eric Wong) over 6 years ago

merch-redmine@jeremyevans.net wrote:

Apache labels the SHA1 support "insecure". It's unsalted, so
weak passwords would fall quickly to a rainbow table attack.
While the first SHA1 collision attack was reported earlier
this year, I don't believe anyone has shown an SHA1 preimage
attack (where you can find a matching password given the
hash), so it isn't truly insecure for very strong passwords
(say 12 random characters).

If there are real users of SHA1, there could still be a case for
adding support for it in WEBrick for Apache compatibility; but
maybe there aren't any users... We can do it if people ask
for it...

Anyway, things have changed since I first put together this
patch. I no longer think it makes sense to add support to
Webrick for anything besides bcrypt. Because bcrypt isn't
currently in the stdlib, I think this can be closed.

Maybe we can support bcrypt as an optional dependency and issue
a warning when trying to read an htpasswd file w/o bcrypt
available.

Thanks.

Actions

Copy link

Also available in: Atom PDF

Like0

Like0Like0Like0Like0

Project

General

Profile

Ruby » Ruby master

Custom queries

Feature #11365

Change Webrick to support SHA htpasswd files

Updated by hsbt (Hiroshi SHIBATA) over 6 years ago

Updated by normalperson (Eric Wong) over 6 years ago

Updated by jeremyevans0 (Jeremy Evans) over 6 years ago

Updated by normalperson (Eric Wong) over 6 years ago