Make default htpasswd hash type configurable

[anonymous]

Hi,

i installed Account Manager Plugin v 0.1.3dev-r2548 with Trac 0.10.4. The HtpasswdStore component works, but stores the passwords not in md5, but in (i think) crypt hash (e.g. test:KsHASOmJA1c36).

In some docments, a default usage of md5 is stated. But, in my case it is not!

Is the hash generation a python build-in or does it use the command-line tool htpasswd2?

Thx, a lot for your help Ruediger

[Matt Good]

What documents are you referring to? The hash generation is done in Python, but follows the behavior of the htpasswd2 tool and generates crypt passwords when possible and md5 passwords otherwise. I don't see anything in the wiki stating that md5 is the default, so I'm not sure what you're asking to have changed.

[anonymous]

Hi, i refer to the following document: ​http://threebit.net/mail-archive/trac/msg02575.html

As you commented, it seems as AccountManager generates crypt-passwd per default (in contrast to the old link above).

Is there a possibility to generate md5-passwd-hashes with Account Manager. Is there a option to define the format?

Thx

[Matt Good]

At the time I wrote that message the default behavior was to generate MD5 passwords, but I changed it to use crypt by default in r1517 to be more compatible with the behavior of the Apache htpasswd utility. On Windows MD5 is still the default since crypt is not available.

There is not a configuration option to set the default hashing method. Why do you need to only use MD5 passwords?

[anonymous]

Our svn repository is currently secured by htpasswd and we built a password data base using md5 Hashes. At the time of generating this pwd-database we did not take the trac environment into account. Thus, it would be nice, if the users can change there passwords on its own. In case of crypt hashes we have to recreate the whole password data base.

Or does it work also with "hybrid" hash files?

Thx Rüdiger

[Matt Good]

It's not a problem if the file contains a mix of different types of hashes. Like Apache the plugin figures out which hash method was used on a line-by-line basis.

[drleo]

I don't mean to be obnoxious in changing this bug back to defect, and changing its priority. I have added the rationale below. If I misunderstood your comments I apologize.

Users (myself included) have built infrastructure (including other web components that share the same password file) based on the previous default. Thus, an option that allows users to override the new default with the old one is essential. It is a significant hardship to change the configurations of the entire infrastructure to use the new default. Right now my users can't access svn among other essential tools.

Another argument: there are circumstances where more than one platform must authenticate from the same file. So using the default on each platform is not sufficient.

Thanks, Leo.

[Matt Good]

If you need additional flexibility in this tool that's still an enhancement, not a defect. The plugin behaves as described and complies with the htpasswd standard file format.

I don't have much time to work on this plugin these days, so if you can work on a patch it would be greatly appreciated.

[Ante Blašković]

I've upgraded my server from Winblows to Linux and now I can not use plugin because all passwords are saved in MD5 format. I hope you will make this work in near future.

[Matt Good]

Replying to ante:

I've upgraded my server from Winblows to Linux and now I can not use plugin because all passwords are saved in MD5 format. I hope you will make this work in near future.

Please explain. The plugin will read MD5 passwords just fine regardless of what platform you're on, so this should work just fine. The only difference is that when users update their passwords the new value will use the "crypt" format. Htpasswd supports mixing different hashing formats within the same file, so this is not a problem.

[Ante Blašković]

When I try to login with MD5 stored password I got incorrect password message, login with CRYPT password works fine.

[Ante Blašković]

I'll try to explain this way, I have passwords allready stored in svn_pwd.

ante:$apr1$b3BoO...$PFRLvDJSCFcMDwCguKDBa.
testuser:$apr1$iU5.....$2SRd4MCBKFbFuZlHNWHab/
ante1:YDNMS/QpdAX0g

If I go to Trac account prefrences and try to change password for user ante (MD5) I receive error: Error Old Password is incorrect. Password change for user ante1 is OK (crypt).

[Matt Good]

Replying to ante:

If I go to Trac account prefrences and try to change password for user ante (MD5) I receive error: Error Old Password is incorrect. Password change for user ante1 is OK (crypt).

I've created #3225 for this since it's not really the same as the request here since it's a problem reading existing passwords rather than the format used by new passwords.

[Mitar]

Anything new about this? It would be really great if there would be an option salt_prefix so I could set it to $1$ and I would get MD5 hash type.

The change is simple. Line 67 (s = '') in pwhash.py should be changed to s = salt_prefix.

[Steffen Hoffmann]

Replying to Mitar:

Anything new about this? It would be really great if there would be an option salt_prefix so I could set it to $1$ and I would get MD5 hash type.

Yes, since I've taken maintainership of this plugin this week, I'll try to catch up with tickets as good as I can. Thanks for your patience. Still I'd value getting a hint, if this changed to a non-issue by now.

The change is simple. Line 67 (s = '') in pwhash.py should be changed to s = salt_prefix.

Thanks for the hint. I think this is as good as a patch would have been. I will add such an option while preparing more changes to htpasswd file handling.

[Steffen Hoffmann]

Well, I've done a slightly different implementation, testing now.

At second thought I disregarded salt_prefix as option name, since it was too internal. I'll use hash_type and map needed salt_prefix settings under the hood, you see?

And while we are at it, why limit to md5? I chose to allow 'sha' as another preset as well. Objections?

Final question: Do we require a backport to 0.10 branch as well?

[Mitar]

Welcome aboard maintainship of this plugin. I am glad!

Great! Of course we should not limit only to md5. By allowing custom prefix we can support any type.

I thin 0.10 is not needed anymore. For those having 0.10 installation they probably already fixed that in some other way.

[Steffen Hoffmann]

#2031 has been closed as a duplicate of this ticket. Seems there are some more people interested in this feature.

[Steffen Hoffmann]

(In [9274]) AccountManagerPlugin: Force different hash type in htpasswd files by choice, closes #2282.

The new option hash_type is available via acct_mgr config admin UI too. Salt generation is moved from htpasswd() module into new mkhtpasswd(). An old compatibility method for Python <= 2.3 gets removed while doing some code cleanup. And we add a new, long missed unittest for crypt|md5|sha hash creation.

[Steffen Hoffmann]

#7395 has been closed as a duplicate of this ticket. There is a patch in there suggesting another way to introduce hash type selection.