ruby-core

Issue #11365 has been updated by jeremyevans0 (Jeremy Evans).

Status changed from Assigned to Closed

normalperson (Eric Wong) wrote:
>  This is an old issue; and nowadays SHA-1 is on it's way out...
>  Should we be looking at SHA-256 or something?  (not a crypto expert)

I didn't think SHA-256 was supported in .htpasswd files.  I suppose we could roll our own, but I figured the only reason crypt(3) was used was for compatibility with Apache .htpasswd files.  According to the Apache documentation, there are 5 options for password formats (see https://httpd.apache.org/docs/2.4/misc/password_encryptions.html):

* bcrypt
* custom MD5
* SHA1
* crypt(3)
* plaintext

I don't believe ruby supports bcrypt in the stdlib.  I would be 100% for adding bcrypt support to the stdlib and using it in Webrick, but that's a larger change.

The custom MD5 solution was Apache specific and fairly complex, and I didn't want to implement it.

Apache labels the SHA1 support "insecure".  It's unsalted, so weak passwords would fall quickly to a rainbow table attack. While the first SHA1 collision attack was reported earlier this year, I don't believe anyone has shown an SHA1 preimage attack (where you can find a matching password given the hash), so it isn't truly insecure for very strong passwords (say 12 random characters).

Anyway, things have changed since I first put together this patch. I no longer think it makes sense to add support to Webrick for anything besides bcrypt.  Because bcrypt isn't currently in the stdlib, I think this can be closed.

----------------------------------------
Feature #11365: Change Webrick to support SHA htpasswd files
https://bugs.ruby-lang.org/issues/11365#change-66777

* Author: jeremyevans0 (Jeremy Evans)
* Status: Closed
* Priority: Normal
* Assignee: normalperson (Eric Wong)
* Target version: 
----------------------------------------
This changes Webrick to default to creating SHA htpasswd files.
It also changes Webrick to support reading SHA htpasswd files,
in addition to supporting the previous crypt password files.

Among other things, this allows Webrick's htpasswd support to
work on OpenBSD, which does not support insecure DES-based
passwords in crypt(3).

---Files--------------------------------
0003-Change-Webrick-to-support-SHA-htpasswd-files.patch (3.62 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>