Error pages/Web Authentication

Maxim Dounin mdounin at
Thu Jul 7 21:22:46 MSD 2011


On Thu, Jul 07, 2011 at 11:14:27AM -0400, tsaavik wrote:

> Maxim Dounin Wrote:
> -------------------------------------------------------
> > 1. Does Nginx support SHA encryption for the basic web
> authentication?
> > When I use -s switch with htpasswd command I can't log in...
> I ran into this issue just the other day with htpasswd -s. I noticed
> that if I modified the output of htpasswd from {SHA} to {SSHA} I was
> able to use the generated password with nginx 1.0.4.
> I wonder if it is feasible to add the following to ngx_crypt.c to be
> more compatible with the output of htpasswd? Please note, I'm no
> cryptologist and barely a programmer, but I do sleep in Holiday Inns.

Your patch will work as {SHA} is identical to {SSHA} with an 
empty salt.  But I'm not really sure we want to support {SHA} at 
all as it's vulnerable to rainbow table attacks and really isn't 
secure.  You shouldn't use it unless you really need compatibility 
with some old software.

Please also note that $apr1$ (as generated by htpasswd -m, aka 
apache md5) is *more* secure than both {SHA} and {SSHA}.  If you 
just want something compatible with Apache and secure - use $apr1$ 

Maxim Dounin

More information about the nginx mailing list