https://issues.apache.org/bugzilla/show_bug.cgi?id=53410
Priority: P2
Bug ID: 53410
Assignee: [email protected]
Summary: SHA-2 password hashes with more than 9999 rounds not
accepted
Severity: normal
Classification: Unclassified
OS: Linux
Reporter: [email protected]
Hardware: PC
Status: NEW
Version: 2.2.17
Component: Core
Product: Apache httpd-2
I created two SHA-512 password hashes for the password "foobar" with the
crypt() function under Fedora 14, one using 9999 rounds, the other using 10000
rounds:
crypt("foobar", "$6$rounds=9999$IOm.N/WPP/0qRkWo");
crypt("foobar", "$6$rounds=10000$IOm.N/WPP/0qRkWo");
I added the results to a password file for basic authentication:
user1:$6$rounds=9999$IOm.N/WPP/0qRkWo$FMP6X5bcfVQX5IC6U7Kw5RIJn/s.MbMZ/LFf1Lt7fzqb.5vlofDv5e47UEWZM/fdsOd3jgJDhHdrnTOswZH4X1
user2:$6$rounds=10000$IOm.N/WPP/0qRkWo$jVJRXlMEcoIcoX3zyE8k/CPESF/2Tm5qLz/Z0koPDz6XklE0g8j.5S0C2YUwU1j0lBQEXH2t/5ygsGDA8yxl8/
The 10000 rounds hash is not accepted by Apache ("Password Mismatch" in the
error.log) although apr_password_validate() from apr_md5.c uses the system's
crypt()/crypt_r() functions.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
