From: Junio C Hamano <gitster@pobox•com>
To: Patrick Steinhardt <ps@pks•im>
Cc: git@vger•kernel.org
Subject: Re: [PATCH 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication
Date: Wed, 08 Nov 2023 17:01:02 +0900 [thread overview]
Message-ID: <xmqq8r787jy9.fsf@gitster.g> (raw)
In-Reply-To: <23835763002c5f5cd68db7bdc9e4c083dda3558f.1699428122.git.ps@pks.im> (Patrick Steinhardt's message of "Wed, 8 Nov 2023 08:30:01 +0100")
Patrick Steinhardt <ps@pks•im> writes:
> When setting up httpd for our tests, we also install a passwd and
> proxy-passwd file that contain the test user's credentials. These
> credentials currently use crypt(3) as the password encryption schema.
>
> This schema can be considered deprecated nowadays as it is not safe
> anymore. Quoting Apache httpd's documentation [1]:
>
>> Unix only. Uses the traditional Unix crypt(3) function with a
>> randomly-generated 32-bit salt (only 12 bits used) and the first 8
>> characters of the password. Insecure.
>
> This is starting to cause issues in modern Linux distributions. glibc
> has deprecated its libcrypt library that used to provide crypt(3) in
> favor of the libxcrypt library. This newer replacement provides a
> compile time switch to disable insecure password encryption schemata,
> which causes crypt(3) to always return `EINVAL`. The end result is that
> httpd tests that exercise authentication will fail on distros that use
> libxcrypt without these insecure encryption schematas.
>
> Regenerate the passwd files to instead use the default password
> encryption schema, which is md5. While it feels kind of funny that an
> MD5-based encryption schema should be more secure than anything else, it
> is the current default and supported by all platforms. Furthermore, it
> really doesn't matter all that much given that these files are only used
> for testing purposes anyway.
This step makes quite a lot of sense, as we are changing this not at
all for security but for portability ;-)
>
> [1]: https://httpd.apache.org/docs/2.4/misc/password_encryptions.html
>
> Signed-off-by: Patrick Steinhardt <ps@pks•im>
> ---
> t/lib-httpd/passwd | 2 +-
> t/lib-httpd/proxy-passwd | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/t/lib-httpd/passwd b/t/lib-httpd/passwd
> index 99a34d64874..d9c122f3482 100644
> --- a/t/lib-httpd/passwd
> +++ b/t/lib-httpd/passwd
> @@ -1 +1 @@
> -user@host:xb4E8pqD81KQs
> +user@host:$apr1$LGPmCZWj$9vxEwj5Z5GzQLBMxp3mCx1
> diff --git a/t/lib-httpd/proxy-passwd b/t/lib-httpd/proxy-passwd
> index 77c25138e07..2ad7705d9a3 100644
> --- a/t/lib-httpd/proxy-passwd
> +++ b/t/lib-httpd/proxy-passwd
> @@ -1 +1 @@
> -proxuser:2x7tAukjAED5M
> +proxuser:$apr1$RxS6MLkD$DYsqQdflheq4GPNxzJpx5.
next prev parent reply other threads:[~2023-11-08 8:01 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-08 7:29 [PATCH 0/3] t: improve compatibility with NixOS Patrick Steinhardt
2023-11-08 7:29 ` [PATCH 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-08 7:59 ` Junio C Hamano
2023-11-08 10:42 ` Patrick Steinhardt
2023-11-08 16:44 ` Jeff King
2023-11-08 7:30 ` [PATCH 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication Patrick Steinhardt
2023-11-08 8:01 ` Junio C Hamano [this message]
2023-11-08 7:30 ` [PATCH 3/3] t9164: fix inability to find basename(1) in hooks Patrick Steinhardt
2023-11-08 14:57 ` [PATCH v2 0/3] t: improve compatibility with NixOS Patrick Steinhardt
2023-11-08 14:57 ` [PATCH v2 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-08 16:54 ` Jeff King
2023-11-09 0:30 ` Junio C Hamano
2023-11-09 6:30 ` Patrick Steinhardt
2023-11-08 14:57 ` [PATCH v2 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication Patrick Steinhardt
2023-11-08 17:02 ` Jeff King
2023-11-08 14:57 ` [PATCH v2 3/3] t9164: fix inability to find basename(1) in hooks Patrick Steinhardt
2023-11-08 17:21 ` Jeff King
2023-11-08 17:43 ` Junio C Hamano
2023-11-09 6:30 ` Patrick Steinhardt
2023-11-09 7:02 ` Patrick Steinhardt
2023-11-09 7:09 ` [PATCH v3 0/3] t: improve compatibility with NixOS Patrick Steinhardt
2023-11-09 7:09 ` [PATCH v3 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-09 7:32 ` Jeff King
2023-11-09 7:36 ` Patrick Steinhardt
2023-11-09 7:46 ` Junio C Hamano
2023-11-09 7:57 ` Patrick Steinhardt
2023-11-09 7:48 ` Jeff King
2023-11-09 7:09 ` [PATCH v3 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication Patrick Steinhardt
2023-11-09 7:10 ` [PATCH v3 3/3] t9164: fix inability to find basename(1) in Subversion hooks Patrick Steinhardt
2023-11-09 7:35 ` Jeff King
2023-11-09 7:36 ` [PATCH v3 0/3] t: improve compatibility with NixOS Jeff King
2023-11-10 8:16 ` [PATCH v4 " Patrick Steinhardt
2023-11-10 8:17 ` [PATCH v4 1/3] t/lib-httpd: dynamically detect httpd and modules path Patrick Steinhardt
2023-11-11 0:00 ` Junio C Hamano
2023-11-13 7:15 ` Patrick Steinhardt
2023-11-10 8:17 ` [PATCH v4 2/3] t/lib-httpd: stop using legacy crypt(3) for authentication Patrick Steinhardt
2023-11-10 8:17 ` [PATCH v4 3/3] t9164: fix inability to find basename(1) in Subversion hooks Patrick Steinhardt
2023-11-10 21:41 ` [PATCH v4 0/3] t: improve compatibility with NixOS Jeff King
2023-11-11 0:10 ` Junio C Hamano
2023-11-13 7:15 ` Patrick Steinhardt
2023-11-13 23:42 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqq8r787jy9.fsf@gitster.g \
--to=gitster@pobox$(echo .)com \
--cc=git@vger$(echo .)kernel.org \
--cc=ps@pks$(echo .)im \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox