[PATCH v3 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick Steinhardt <ps@pks.im>
To: git@vger.kernel.org
Cc: Jeff King <peff@peff.net>, Junio C Hamano <gitster@pobox.com>
Subject: [PATCH v3 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication
Date: Thu, 9 Nov 2023 08:09:56 +0100	[thread overview]
Message-ID: <3dce76da477852e5e6964ea20cad2bfe2788a96f.1699513524.git.ps@pks.im> (raw)
In-Reply-To: <cover.1699513524.git.ps@pks.im>

[-- Attachment #1: Type: text/plain, Size: 2129 bytes --]

When setting up httpd for our tests, we also install a passwd and
proxy-passwd file that contain the test user's credentials. These
credentials currently use crypt(3) as the password encryption schema.

This schema can be considered deprecated nowadays as it is not safe
anymore. Quoting Apache httpd's documentation [1]:

> Unix only. Uses the traditional Unix crypt(3) function with a
> randomly-generated 32-bit salt (only 12 bits used) and the first 8
> characters of the password. Insecure.

This is starting to cause issues in modern Linux distributions. glibc
has deprecated its libcrypt library that used to provide crypt(3) in
favor of the libxcrypt library. This newer replacement provides a
compile time switch to disable insecure password encryption schemata,
which causes crypt(3) to always return `EINVAL`. The end result is that
httpd tests that exercise authentication will fail on distros that use
libxcrypt without these insecure encryption schematas.

Regenerate the passwd files to instead use the default password
encryption schema, which is md5. While it feels kind of funny that an
MD5-based encryption schema should be more secure than anything else, it
is the current default and supported by all platforms. Furthermore, it
really doesn't matter all that much given that these files are only used
for testing purposes anyway.

[1]: https://httpd.apache.org/docs/2.4/misc/password_encryptions.html

Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
 t/lib-httpd/passwd       | 2 +-
 t/lib-httpd/proxy-passwd | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/t/lib-httpd/passwd b/t/lib-httpd/passwd
index 99a34d64874..d9c122f3482 100644
--- a/t/lib-httpd/passwd
+++ b/t/lib-httpd/passwd
@@ -1 +1 @@
-user@host:xb4E8pqD81KQs
+user@host:$apr1$LGPmCZWj$9vxEwj5Z5GzQLBMxp3mCx1
diff --git a/t/lib-httpd/proxy-passwd b/t/lib-httpd/proxy-passwd
index 77c25138e07..2ad7705d9a3 100644
--- a/t/lib-httpd/proxy-passwd
+++ b/t/lib-httpd/proxy-passwd
@@ -1 +1 @@
-proxuser:2x7tAukjAED5M
+proxuser:$apr1$RxS6MLkD$DYsqQdflheq4GPNxzJpx5.
-- 
2.42.0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next prev parent reply	other threads:[~2023-11-09  7:10 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-08  7:29 [PATCH 0/3] t: improve compatibility with NixOS Patrick Steinhardt
2023-11-08  7:29 ` [PATCH 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-08  7:59   ` Junio C Hamano
2023-11-08 10:42     ` Patrick Steinhardt
2023-11-08 16:44       ` Jeff King
2023-11-08  7:30 ` [PATCH 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication Patrick Steinhardt
2023-11-08  8:01   ` Junio C Hamano
2023-11-08  7:30 ` [PATCH 3/3] t9164: fix inability to find basename(1) in hooks Patrick Steinhardt
2023-11-08 14:57 ` [PATCH v2 0/3] t: improve compatibility with NixOS Patrick Steinhardt
2023-11-08 14:57   ` [PATCH v2 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-08 16:54     ` Jeff King
2023-11-09  0:30       ` Junio C Hamano
2023-11-09  6:30       ` Patrick Steinhardt
2023-11-08 14:57   ` [PATCH v2 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication Patrick Steinhardt
2023-11-08 17:02     ` Jeff King
2023-11-08 14:57   ` [PATCH v2 3/3] t9164: fix inability to find basename(1) in hooks Patrick Steinhardt
2023-11-08 17:21     ` Jeff King
2023-11-08 17:43       ` Junio C Hamano
2023-11-09  6:30         ` Patrick Steinhardt
2023-11-09  7:02           ` Patrick Steinhardt
2023-11-09  7:09 ` [PATCH v3 0/3] t: improve compatibility with NixOS Patrick Steinhardt
2023-11-09  7:09   ` [PATCH v3 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-09  7:32     ` Jeff King
2023-11-09  7:36       ` Patrick Steinhardt
2023-11-09  7:46         ` Junio C Hamano
2023-11-09  7:57           ` Patrick Steinhardt
2023-11-09  7:48         ` Jeff King
2023-11-09  7:09   ` Patrick Steinhardt [this message]
2023-11-09  7:10   ` [PATCH v3 3/3] t9164: fix inability to find basename(1) in Subversion hooks Patrick Steinhardt
2023-11-09  7:35     ` Jeff King
2023-11-09  7:36   ` [PATCH v3 0/3] t: improve compatibility with NixOS Jeff King
2023-11-10  8:16 ` [PATCH v4 " Patrick Steinhardt
2023-11-10  8:17   ` [PATCH v4 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-11  0:00     ` Junio C Hamano
2023-11-13  7:15       ` Patrick Steinhardt
2023-11-10  8:17   ` [PATCH v4 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication Patrick Steinhardt
2023-11-10  8:17   ` [PATCH v4 3/3] t9164: fix inability to find basename(1) in Subversion hooks Patrick Steinhardt
2023-11-10 21:41   ` [PATCH v4 0/3] t: improve compatibility with NixOS Jeff King
2023-11-11  0:10   ` Junio C Hamano
2023-11-13  7:15     ` Patrick Steinhardt
2023-11-13 23:42       ` Junio C Hamano

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:99a34d6487 dfblob:d9c122f348 dfblob:77c25138e0
dfblob:2ad7705d9a )
 OR (
bs:"[PATCH v3 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3dce76da477852e5e6964ea20cad2bfe2788a96f.1699513524.git.ps@pks.im \
    --to=ps@pks.im \
    --cc=git@vger.kernel.org \
    --cc=gitster@pobox.com \
    --cc=peff@peff.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).