> Hi all, > > I am currently trying to have basic user authentication enabled using a > hash starting with $2y$.... > > While this hash is working very fine in combination with PHP's > password_hash(), it seems the same hash string is not working for basic > authentication in haproxy.cfg. I'm not entirely sure about Wheezy > supporting the latest Blowfish algorithm ($2y$) and did not find > anything on the web to it either. Using the insecure-password method in > haproxy.cfg the authentication works just fine so my conclusion is > HAproxy might not be aware of how to handle this hash string correctly > (even though the documentation indicates it just relies on the system's > crypt() function). > > Would anybody have a clue how I could investigate this issue any > further or would even have a suggestion to solve it on Debian Wheezy?
glibc's crypt() simply doesn't support it. Check with: man crypt Other than MD5, crypt() in Debian Wheezy almost certainly only supports sha256 (id $5$) and sha512 (id $6$). There is a mysterious comment in the manpage about blowfish (id $2a$), that suggests it *may* be supported, although its not in mainline glibc. I suggest to stick with sha512, that should be secure enough (its salted anyway). See here [1] for a list of crypt() ids. Oh and please upgrade haproxy, starting with v1.5.4 we verify that the encryption method is actually supported by crypt(), so HAproxy won't even start with unsupported password methods. Regards, Lukas [1] http://en.wikipedia.org/wiki/Crypt_%28C%29#Blowfish-based_scheme
