Patrick Steinhardt <ps@xxxxxx> writes: > When setting up httpd for our tests, we also install a passwd and > proxy-passwd file that contain the test user's credentials. These > credentials currently use crypt(3) as the password encryption schema. > > This schema can be considered deprecated nowadays as it is not safe > anymore. Quoting Apache httpd's documentation [1]: > >> Unix only. Uses the traditional Unix crypt(3) function with a >> randomly-generated 32-bit salt (only 12 bits used) and the first 8 >> characters of the password. Insecure. > > This is starting to cause issues in modern Linux distributions. glibc > has deprecated its libcrypt library that used to provide crypt(3) in > favor of the libxcrypt library. This newer replacement provides a > compile time switch to disable insecure password encryption schemata, > which causes crypt(3) to always return `EINVAL`. The end result is that > httpd tests that exercise authentication will fail on distros that use > libxcrypt without these insecure encryption schematas. > > Regenerate the passwd files to instead use the default password > encryption schema, which is md5. While it feels kind of funny that an > MD5-based encryption schema should be more secure than anything else, it > is the current default and supported by all platforms. Furthermore, it > really doesn't matter all that much given that these files are only used > for testing purposes anyway. This step makes quite a lot of sense, as we are changing this not at all for security but for portability ;-) > > [1]: https://httpd.apache.org/docs/2.4/misc/password_encryptions.html > > Signed-off-by: Patrick Steinhardt <ps@xxxxxx> > --- > t/lib-httpd/passwd | 2 +- > t/lib-httpd/proxy-passwd | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/t/lib-httpd/passwd b/t/lib-httpd/passwd > index 99a34d64874..d9c122f3482 100644 > --- a/t/lib-httpd/passwd > +++ b/t/lib-httpd/passwd > @@ -1 +1 @@ > -user@host:xb4E8pqD81KQs > +user@host:$apr1$LGPmCZWj$9vxEwj5Z5GzQLBMxp3mCx1 > diff --git a/t/lib-httpd/proxy-passwd b/t/lib-httpd/proxy-passwd > index 77c25138e07..2ad7705d9a3 100644 > --- a/t/lib-httpd/proxy-passwd > +++ b/t/lib-httpd/proxy-passwd > @@ -1 +1 @@ > -proxuser:2x7tAukjAED5M > +proxuser:$apr1$RxS6MLkD$DYsqQdflheq4GPNxzJpx5.
