Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 820524 - www-servers/lighttpd: Can't use bcrypt for HTTP auth
Summary: www-servers/lighttpd: Can't use bcrypt for HTTP auth
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Herb Miller Jr.
URL:
Whiteboard:
Keywords:
Depends on: libxcrypt-stable
Blocks:
  Show dependency tree
 
Reported: 2021-10-27 15:07 UTC by Tobias Leupold
Modified: 2021-11-04 22:56 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Leupold 2021-10-27 15:07:13 UTC
Apparently, it's currently not possible to use HTTP auth with lighttpd using bcrypt hashed passwords. This seems to be a Gentoo-specific issue, as the very same setup works fine on one of my servers running Ubuntu 20.04 (so I suppose lighttpd can handle bcrypt hashed passwords):

Using lighttpd 1.4.59-r1, when I create a password-protected directory like so:

    $HTTP["url"] =~ "^/test/" {
        auth.backend = "htpasswd"
        auth.backend.htpasswd.userfile = "/etc/lighttpd/test.htpasswd"
        auth.require = ( "" => ( "method" => "basic",
                                 "realm"  => "test login",
                                 "require" => "valid-user" ) )
    }

and create a password file using htpasswd with the default MD5 hashing:

    htpasswd /etc/lighttpd/test.htpasswd test

the password file looks like this (both the user and the password are "test"):

    test:$apr1$CTkRN1VJ$HbhH2TJ72oRWKBabGumT21

Opening the /test/ directory makes my browser ask for user name and pasword, as expected, and user "test" works with password "test".

When I use bcrypt to hash the password via

    htpasswd -B /etc/lighttpd/test.htpasswd test

however, the result is

    test:$2y$05$YE/nvftdEeywb/wrZJm3nOQRha2XMndWSn/H.YeYsSDgCnCrC0Mh.

but logging in doesn't work anymore. The error.log says:

    2021-10-27 16:54:13: mod_auth.c.828) password doesn't match for /test/ username: test IP: 192.168.178.21

After updating the password to the (default) MD5 hashing, I can login again.
Comment 1 gstrauss 2021-10-28 06:25:19 UTC
x-ref with lighttpd upstream: https://redmine.lighttpd.net/boards/2/topics/10126

lighttpd works with bcrypt'd passwords on current Ubuntu and Fedora.
Comment 2 gstrauss 2021-10-28 07:58:42 UTC
https://wiki.gentoo.org/wiki/Project:Toolchain/libcrypt_implementation

The migration to sys-libs/libxcrypt will add blowfish crypt support to libcrypt
Comment 3 Tobias Leupold 2021-10-28 08:32:20 UTC
Well, then it's obvious why this doesn't work at the moment.
Seems like this will solve itself then ;-)
Comment 4 Sam James archtester gentoo-dev Security 2021-10-28 08:33:16 UTC
(In reply to Tobias Leupold from comment #3)
> Well, then it's obvious why this doesn't work at the moment.
> Seems like this will solve itself then ;-)

... in just a few days, too! bug 809410. The best kind of bug!
Comment 5 Tobias Leupold 2021-11-04 22:56:41 UTC
Just to finally add this:

After the migration to sys-libs/libxcrypt, lighttpd now also can handle bcrypted passwords. A complete reboot was necessary though, just restarting lighttpd wasn't enough.

But it now works anyway :-)