On Mon, Oct 09, 2017 at 10:44:11PM +0300, Maxim Dounin wrote:
> All crypt() schemes available on a particular OS are supported, and
> this is what is written in the above paragraph.

I added that note to provide disambiguation that actual libc crypt() is
used, I was under assumption that some only "plain old crypt()" is
actually supported (like DES one) as the example does not refer to
system crypt(), but refers to openssl and htpasswd. I was unaware of
platform crypt() call till I have actually looked at the source code :)

> It is not clear why to document $5$ and $6$ explicitly.

That's just an example. These two are documented in crypt(3) manpage:
MD5-based $1$ is already documented and $2a$ is not available in
"default" build of glibc.

> (Also, it might not be a good idea to actually use $5$ and especially
> $6$ crypt schemes for web authentication, as crypt() is needed for
> each request, and these schemes are quite CPU intensive.)

Yep, that's true, that's 5000 rounds of SHA-2 and that's ~2..3ms of CPU
time per request.

--
WBRBW, Leonid Evdokimov, xmpp:leon@darkk.net.ru http://darkk.net.ru tel:+79816800702
PGP: 6691 DE6B 4CCD C1C1 76A0 0D4A E1F2 A980 7F50 FAB2
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel