Best practice for mod_authn_dbd + postgresql; really SHA1?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Experts,

I'm trying to determine the best way to implement Apache
authentication using mod_authn_dbd and PostgrSQL; my starting
point has been this documentation:

  https://httpd.apache.org/docs/2.4/mod/mod_authn_dbd.html
  https://httpd.apache.org/docs/2.4/misc/password_encryptions.html
  https://www.postgresql.org/docs/9.6/static/pgcrypto.html (F.25.2)

It looks like my choices are:

1: Do the crypto in PostgreSQL.  For example, I could insert
new password hashes:

  INSERT INTO passwords (username, pwhash)
    VALUES ('phil', crypt('passw0rd', gen_salt('bf',8)));

And check them:

  SELECT * FROM passwords WHERE username='phil'
    AND pwhash = crypt('passw0rd', pwhash);

The trouble is that this returns a pass/fail response, but at the
Apache end I don't see a way to make mod_authn_dbd (or anything else)
use that; that module wants to receive a password hash that it will
check itself.  So:

2. Do the crypto in Apache.  I could simply:

  SELECT pwhash FROM passwords WHERE username='phil';

But getting the passwords into PostgreSQL in the first place is
not so easy.  pgcrypto's blowfish implementation doesn't seem to
be quite the same as what Apache uses ($2a$ vs $2y$, whatever that
means...), so it looks like I would probably need to invoke the
htpasswd utility somewhere between my e.g. create_user.cgi /
change_password.cgi scripts and the SQL.  So:

3. Use SHA1.  This is described as "probably the most useful format
for DBD authentication" in the Apache docs, since the Apache and
PostgreSQL implementations are the same:

  INSERT INTO passwords (username, pwhash)
    VALUES ('phil', '{SHA}'||encode(digest('passw0rd','sha1'),'base64'));

  SELECT pwhash FROM passwords WHERE username='phil';

But the disadvantage is that this is relatively insecure; there is no
salt and the SHA1 algorithm is quick enough that it could be brute-forced.
I could of course add a salt before hashing, but I don't think there is
a way to make mod_authn_dbd compare against the same salted password.

I find this all a bit surprising.  Isn't this a common scenario?  Am
I missing something?  What do other people do?

Many thanks for any advice.


Regards, Phil.





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux