Re: mysql apache md5

Tue, 08 Mar 2011 08:42:41 -0800 

Am 08.03.2011 07:06, schrieb William A. Rowe Jr.:

But what does this have to do with httpd?  At best, you are suggesting a docs 
improvement.
Otherwise this is on the language you are using and not an ASF issue... but the 
desired
behavior has been part of Crypt::PasswdMD5 for a dozen years, just to give you 
a Perl
example... and apache_md5_crypt() is unambiguous.

http://search.cpan.org/~luismunoz/Crypt-PasswdMD5-1.3/PasswdMD5.pm



That was a repost from  a mysql list...  the OP was saying md5 should be md5, 
when using
apache auth against an md5 hash as its auth mechanisms , it does not accept the 
md5 hash
inserted into a DB, ie : using mysql  insert md5(foo)  it wont for the OP 
recognise it,
when using AuthDBDUserPWQuery.

In other words, if you claim to support MD5, it should read an inserted md5 
hash. But I
will forward your post to the OP.


As cited above, we don't support just "any old arbitrary MD5", and if you are 
using
that particular generic form of MD5 today, you really should spend some time 
reviewing
security lists, a ROT13 p/w encoding is just about as effective.  But the hash 
in
question is not MD5, but Apache MD5, which is and always was a different thing.

If you have any pointers to our docs where the difference isn't made clear, the 
docs
team would really like to hear specifics!  See the address above for their list.

That said, a "real" SHA-1 is supported, and stronger options are well 
warranted, if
not overdue, given that SHA-1 is on equally shakey ground :)
well, I dont think the question is if MD5 is weak or not and if APR-MD5 is better, but the question is if we are willing to rename 'our MD5' to f.e. APR-MD5 which would make it a lot clearer for everyone that we support a special MD5 variant, and not plain weak MD5. BTW. I stumbled over exactly same years ago, and it took me a while to realize that httpd uses in fact APR-MD5, and not 'plain weak MD5' ... :-) 

see f.e.:
http://httpd.apache.org/docs/trunk/mod/mod_auth_digest.html#authdigestalgorithm
no mention that this is APR-MD5 ...
also the quick reader who would look for the htpassword options:
http://httpd.apache.org/docs/trunk/programs/htpasswd.html#options
would find:
-m
    Use MD5 encryption for passwords. This is the default.

only if you read the overview there is mentioned that we use a special MD5:
"htpasswd encrypts passwords using either a version of MD5 modified for Apache, or the system's crypt() routine." 

(and BTW. this sentence lacks also the 3rd method SHA ...)

Gün.

Reply via email to