Received: (qmail 56000 invoked by uid 501); 21 Mar 2001 12:12:22 -0000 Message-Id: <20010321121221.55991.qmail@apache.org> Date: 21 Mar 2001 12:12:21 -0000 From: Paul Mandell Reply-To: paul.mandell@whitecross.com To: submit@bugz.apache.org Subject: htpasswd -m only takes first 8 chars of password and generated salt is only 2 or 3 bytes (of 8) X-Send-Pr-Version: 3.110 >Number: 7444 >Category: os-solaris >Synopsis: htpasswd -m only takes first 8 chars of password and generated salt is only 2 or 3 bytes (of 8) >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Mar 21 04:20:08 PST 2001 >Closed-Date: >Last-Modified: >Originator: paul.mandell@whitecross.com >Release: 1.3.19 >Organization: apache >Environment: Solaris 2.6 (and 7 and 8 by the look of it) >Description: Two problems really using "htpasswd -m" under Solaris 2.6 Firstly the Solaris getpass() called by ap_getpass.c only returns the first 8 characters or the password you type. This is fine when using crypt() password hashes but we want to use md5 with longer (10 - 12 character) passwords. Sun have now introduced getpassphrase() to support 256 character passwords. Maybe this should be called instead. Secondly the salts generated when using "htpasswd -m" are only 2 or 3 bytes long with "."s filling in the rest. I've looked at the source in ap_to64() and the fault seems to lie there. The value of "v" in the loop of "n" from 8 to 1 seems to reach zero after 2 or 3 iterations. I'll try it under Linux tonight but it's certainly not behaving as expected under Solaris 2.6. >How-To-Repeat: >Fix: Call getpassphrase() instead of getpass() when building on Solaris 2.6 ( and 7 and 8) by the looks of it. Sun decide to introduce getpassphrase() rather than extending getpass() therefore requiring all programs that call it to be modified, but probably protecting themselves against any side effects introduced by changing the behaviour of getpass(). The loop to generate a random salt seems a bit over complicated maybe something simpler would ensure it works on all Unixes. >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]