[patch]: document SHA-2 support in glibc crypt()

Maxim Dounin mdounin at mdounin.ru
Mon Oct 9 19:44:11 UTC 2017 

Hello!

On Mon, Oct 09, 2017 at 08:44:07PM +0300, Leonid Evdokimov wrote:

> Hello!
> 
> I'd like to see few more lines about SHA-2 support in glibc crypt() in
> documentation. I've created small patch for nginx.org repo, it's
> attached.
> 
> -- 
> WBRBW, Leonid Evdokimov, xmpp:leon at darkk.net.ru http://darkk.net.ru tel:+79816800702
> PGP: 6691 DE6B 4CCD C1C1 76A0  0D4A E1F2 A980 7F50 FAB2

> # HG changeset patch
> # User Leonid Evdokimov <leon at darkk.net.ru>
> # Date 1507567640 -10800
> #      Mon Oct 09 19:47:20 2017 +0300
> # Node ID ef79dd801d1b7aedebd76c9e3a034b2009a34b78
> # Parent  2ac75347ed1af5a42d84e08edbe66f762676e668
> Mention that crypt() may support SHA-2 schemes as well
> 
> diff -r 2ac75347ed1a -r ef79dd801d1b xml/en/docs/http/ngx_http_auth_basic_module.xml
> --- a/xml/en/docs/http/ngx_http_auth_basic_module.xml	Mon Oct 09 18:14:23 2017 +0300
> +++ b/xml/en/docs/http/ngx_http_auth_basic_module.xml	Mon Oct 09 19:47:20 2017 +0300
> @@ -97,6 +97,12 @@
>  encrypted with the <c-func>crypt</c-func> function; can be generated using
>  the “<command>htpasswd</command>” utility from the Apache HTTP Server
>  distribution or the “<command>openssl passwd</command>” command;
> +<note>
> +<link url="https://en.wikipedia.org/wiki/GNU_C_Library">Glibc</link> implementation of <c-func>crypt</c-func>
> +also support salted SHA-256 and SHA-512 schemes (<literal>$5$</literal> и <literal>$6$</literal>).
> +These hashes may be generated using “<command>mkpasswd</command>” utlity from “whois” package or following python one-liner:
> +“<command>python2 -c 'import base64, os, crypt; print crypt.crypt("P at ssw0rd", "$6$" + base64.b64encode(os.urandom(12), altchars="./"))'</command>”.

All crypt() schemes available on a particular OS are supported, 
and this is what is written in the above paragraph.  It is not 
clear why to document $5$ and $6$ explicitly.

(Also, it might not be a good idea to actually use $5$ and 
especially $6$ crypt schemes for web authentication, as crypt() is 
needed for each request, and these schemes are quite CPU 
intensive.)

[...]

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx-devel mailing list