Hello!

On Thu, Jul 07, 2011 at 11:14:27AM -0400, tsaavik wrote:

> Maxim Dounin Wrote:
> -------------------------------------------------------
> > 1. Does Nginx support SHA encryption for the basic web
> authentication?
> > When I use -s switch with htpasswd command I can't log in...
>
> I ran into this issue just the other day with htpasswd -s. I noticed
> that if I modified the output of htpasswd from {SHA} to {SSHA} I was
> able to use the generated password with nginx 1.0.4.
>
> I wonder if it is feasible to add the following to ngx_crypt.c to be
> more compatible with the output of htpasswd? Please note, I'm no
> cryptologist and barely a programmer, but I do sleep in Holiday Inns.

Your patch will work as {SHA} is identical to {SSHA} with an
empty salt. But I'm not really sure we want to support {SHA} at
all as it's vulnerable to rainbow table attacks and really isn't
secure. You shouldn't use it unless you really need compatibility
with some old software.

Please also note that $apr1$ (as generated by htpasswd -m, aka
apache md5) is *more* secure than both {SHA} and {SSHA}. If you
just want something compatible with Apache and secure - use $apr1$
instead.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx