New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Tasks Web>Item10952 (17 Dec 2011, GeorgeClark)Edit Attach

Item10952: configure {Htpasswd}{Encoding} defaults to crypt which throws a warning, without any guidance for what alternative to choose or why

Priority: Normal
Current State: Closed
Released In: 1.1.4
Target Release: patch
Applies To: Engine
Component: FoswikiUsers, configure, HtPasswdUser
Reported By: PaulHarvey
Waiting For:
Last Change By: GeorgeClark
So, add a link the support web

-- PaulHarvey - 08 Jul 2011

HtPasswdEncodingSupplement - please review

-- PaulHarvey - 08 Jul 2011

Nice Image on the docu. crypt should be deprecated due to its 8 chars limitations some users arent even aware of. Moving away from crypt will improve the overall security standards of installed foswikis out there.

-- MichaelDaum - 09 Jul 2011

Thank you for feedback. I just wanted more experienced eyes on the doc to make sure I hadn't cooked complete lies (I never used any alternative login/password manager).

-- PaulHarvey - 10 Jul 2011

Why do we seem to recommend against SHA1 for ApacheLogin? HtPasswdEncodingSupplement says " you want to allow new users to register via Foswiki, then the only out-of-the-box solution is to use an md5 encoded .htpasswd file" however on my test server I was able to register and login with apache mod_auth with SHA1. So it seems to work fine, and better yet entries in .htpasswd are "tagged" with {sha} so the file can actually contain a mixture of crypt and sha entries. Apache is quite happy with the mixture. Though ChangePassword doesn't seem to verify correctly.

BTW the "info" text does cover this in some detail for the entry in bin/configure. So instead of a supplemental document, can we expand a bit on the help for the field?

-- GeorgeClark - 11 Jul 2011

My problem was that it was a warning without a solution. Even if an admin thinks to click the info thing, they will still fail to find any firm advice on what to do.

So I thought this might be the type of documentation which would be better off living as a supplemental doc, but that probably just reflects my lack of confidence with this stuff.

If we can provide firm advice like "use sha1" (in which case that should be the default), then I'd be happy to see the supplemental doc disappear.

-- PaulHarvey - 11 Jul 2011

imo we should firmly advise the use of digest auth.

i think it functions with templateauth (though we have not yet added a js encrypter, its only a matter of time) and it is certainly more functional (and actually more reliable on windows clients) and the other options

-- SvenDowideit - 11 Jul 2011

Digest auth does work fine with template auth. The changes I've made for ImproveHtPaswdUserFlexibility addresses the documentation a bit better. The updated help text from configure is pasted in the development topic. Once the timer expires I'll commit the changes.

-- GeorgeClark - 16 Jul 2011

Setting this to waiting for release. The Htpasswd changes are considerably more extensive than this task covers.

-- GeorgeClark - 23 Jul 2011

ItemTemplate edit

Summary configure {Htpasswd}{Encoding} defaults to crypt which throws a warning, without any guidance for what alternative to choose or why
ReportedBy PaulHarvey
Codebase 1.1.3, trunk
SVN Range
AppliesTo Engine
Component FoswikiUsers, configure, HtPasswdUser
Priority Normal
CurrentState Closed
Checkins distro:e754dfef1f6d distro:ebfc5f202b63
TargetRelease patch
ReleasedIn 1.1.4
Topic revision: r15 - 17 Dec 2011, GeorgeClark - This page was cached on 22 Jun 2018 - 00:53.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy