Error pages/Web Authentication
Maxim Dounin
mdounin at mdounin.ru
Thu Jul 7 21:22:46 MSD 2011
Hello!
On Thu, Jul 07, 2011 at 11:14:27AM -0400, tsaavik wrote:
> Maxim Dounin Wrote:
> -------------------------------------------------------
> > 1. Does Nginx support SHA encryption for the basic web
> authentication?
> > When I use -s switch with htpasswd command I can't log in...
>
> I ran into this issue just the other day with htpasswd -s. I noticed
> that if I modified the output of htpasswd from {SHA} to {SSHA} I was
> able to use the generated password with nginx 1.0.4.
>
> I wonder if it is feasible to add the following to ngx_crypt.c to be
> more compatible with the output of htpasswd? Please note, I'm no
> cryptologist and barely a programmer, but I do sleep in Holiday Inns.
Your patch will work as {SHA} is identical to {SSHA} with an
empty salt. But I'm not really sure we want to support {SHA} at
all as it's vulnerable to rainbow table attacks and really isn't
secure. You shouldn't use it unless you really need compatibility
with some old software.
Please also note that $apr1$ (as generated by htpasswd -m, aka
apache md5) is *more* secure than both {SHA} and {SSHA}. If you
just want something compatible with Apache and secure - use $apr1$
instead.
Maxim Dounin
More information about the nginx
mailing list