From: Junio C Hamano <gitster@pobox.com>
To: Patrick Steinhardt <ps@pks.im>
Cc: git@vger.kernel.org
Subject: Re: [PATCH 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication
Date: Wed, 08 Nov 2023 17:01:02 +0900 [thread overview]
Message-ID: <xmqq8r787jy9.fsf@gitster.g> (raw)
In-Reply-To: <23835763002c5f5cd68db7bdc9e4c083dda3558f.1699428122.git.ps@pks.im> (Patrick Steinhardt's message of "Wed, 8 Nov 2023 08:30:01 +0100")
Patrick Steinhardt <ps@pks.im> writes:
> When setting up httpd for our tests, we also install a passwd and
> proxy-passwd file that contain the test user's credentials. These
> credentials currently use crypt(3) as the password encryption schema.
>
> This schema can be considered deprecated nowadays as it is not safe
> anymore. Quoting Apache httpd's documentation [1]:
>
>> Unix only. Uses the traditional Unix crypt(3) function with a
>> randomly-generated 32-bit salt (only 12 bits used) and the first 8
>> characters of the password. Insecure.
>
> This is starting to cause issues in modern Linux distributions. glibc
> has deprecated its libcrypt library that used to provide crypt(3) in
> favor of the libxcrypt library. This newer replacement provides a
> compile time switch to disable insecure password encryption schemata,
> which causes crypt(3) to always return `EINVAL`. The end result is that
> httpd tests that exercise authentication will fail on distros that use
> libxcrypt without these insecure encryption schematas.
>
> Regenerate the passwd files to instead use the default password
> encryption schema, which is md5. While it feels kind of funny that an
> MD5-based encryption schema should be more secure than anything else, it
> is the current default and supported by all platforms. Furthermore, it
> really doesn't matter all that much given that these files are only used
> for testing purposes anyway.
This step makes quite a lot of sense, as we are changing this not at
all for security but for portability ;-)
>
> [1]: https://httpd.apache.org/docs/2.4/misc/password_encryptions.html
>
> Signed-off-by: Patrick Steinhardt <ps@pks.im>
> ---
> t/lib-httpd/passwd | 2 +-
> t/lib-httpd/proxy-passwd | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/t/lib-httpd/passwd b/t/lib-httpd/passwd
> index 99a34d64874..d9c122f3482 100644
> --- a/t/lib-httpd/passwd
> +++ b/t/lib-httpd/passwd
> @@ -1 +1 @@
> -user@host:xb4E8pqD81KQs
> +user@host:$apr1$LGPmCZWj$9vxEwj5Z5GzQLBMxp3mCx1
> diff --git a/t/lib-httpd/proxy-passwd b/t/lib-httpd/proxy-passwd
> index 77c25138e07..2ad7705d9a3 100644
> --- a/t/lib-httpd/proxy-passwd
> +++ b/t/lib-httpd/proxy-passwd
> @@ -1 +1 @@
> -proxuser:2x7tAukjAED5M
> +proxuser:$apr1$RxS6MLkD$DYsqQdflheq4GPNxzJpx5.
next prev parent reply other threads:[~2023-11-08 8:01 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-08 7:29 [PATCH 0/3] t: improve compatibility with NixOS Patrick Steinhardt
2023-11-08 7:29 ` [PATCH 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-08 7:59 ` Junio C Hamano
2023-11-08 10:42 ` Patrick Steinhardt
2023-11-08 16:44 ` Jeff King
2023-11-08 7:30 ` [PATCH 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication Patrick Steinhardt
2023-11-08 8:01 ` Junio C Hamano [this message]
2023-11-08 7:30 ` [PATCH 3/3] t9164: fix inability to find basename(1) in hooks Patrick Steinhardt
2023-11-08 14:57 ` [PATCH v2 0/3] t: improve compatibility with NixOS Patrick Steinhardt
2023-11-08 14:57 ` [PATCH v2 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-08 16:54 ` Jeff King
2023-11-09 0:30 ` Junio C Hamano
2023-11-09 6:30 ` Patrick Steinhardt
2023-11-08 14:57 ` [PATCH v2 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication Patrick Steinhardt
2023-11-08 17:02 ` Jeff King
2023-11-08 14:57 ` [PATCH v2 3/3] t9164: fix inability to find basename(1) in hooks Patrick Steinhardt
2023-11-08 17:21 ` Jeff King
2023-11-08 17:43 ` Junio C Hamano
2023-11-09 6:30 ` Patrick Steinhardt
2023-11-09 7:02 ` Patrick Steinhardt
2023-11-09 7:09 ` [PATCH v3 0/3] t: improve compatibility with NixOS Patrick Steinhardt
2023-11-09 7:09 ` [PATCH v3 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-09 7:32 ` Jeff King
2023-11-09 7:36 ` Patrick Steinhardt
2023-11-09 7:46 ` Junio C Hamano
2023-11-09 7:57 ` Patrick Steinhardt
2023-11-09 7:48 ` Jeff King
2023-11-09 7:09 ` [PATCH v3 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication Patrick Steinhardt
2023-11-09 7:10 ` [PATCH v3 3/3] t9164: fix inability to find basename(1) in Subversion hooks Patrick Steinhardt
2023-11-09 7:35 ` Jeff King
2023-11-09 7:36 ` [PATCH v3 0/3] t: improve compatibility with NixOS Jeff King
2023-11-10 8:16 ` [PATCH v4 " Patrick Steinhardt
2023-11-10 8:17 ` [PATCH v4 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-11 0:00 ` Junio C Hamano
2023-11-13 7:15 ` Patrick Steinhardt
2023-11-10 8:17 ` [PATCH v4 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication Patrick Steinhardt
2023-11-10 8:17 ` [PATCH v4 3/3] t9164: fix inability to find basename(1) in Subversion hooks Patrick Steinhardt
2023-11-10 21:41 ` [PATCH v4 0/3] t: improve compatibility with NixOS Jeff King
2023-11-11 0:10 ` Junio C Hamano
2023-11-13 7:15 ` Patrick Steinhardt
2023-11-13 23:42 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqq8r787jy9.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=ps@pks.im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.