On 12/19/2014 04:00 PM, Jo Rhett wrote: > While I am very glad to see RT upgrade to blowfish/bcrypt password > encryption with RT4 it has created a problem for sites which > synchronize passwords. Some systems (even modern Red Hat/CentOS) have > no bcrypt support in glibc. > > I haven’t looked in depth, but it appears from the patches that > bcrypt is hardcoded. Would BP accept a patch which enables a > configuration parameter to select the crypt method?
I don't think we'd take a general patch to do so, no -- though patching it locally shouldn't be too difficult. Note, however, that RT 3 used an unsalted MD5 (which is totally insecure), or (after RT 3.8.9) a truncated SHA-256 of a salted MD5 of the password -- which certainly wasn't portable. You have to go back to RT 2.0 to get a password hash in the database that is perhaps portable, which is the not-terribly-secure crypt(). As such, any solution which synchronized passwords with RT previously must have had custom code; one can presumably use a user-space implementation of bcrypt there. - Alex
