Hi tech@
While reading htpasswd and htpasswd handling in httpd I noticed that both use
different APIs to handle encrypting/decrypting the passwords.
- htpasswd uses the bcrypt API
- httpd uses the new crypt API
The documentation for bcrypt states:
These functions are deprecated in favor of
On Tue, Jun 06, 2017 at 07:43:02PM +0200, Adam Wolk wrote:
> Hi tech@
>
> While reading htpasswd and htpasswd handling in httpd I noticed that both use
> different APIs to handle encrypting/decrypting the passwords.
>
> - htpasswd uses the bcrypt API
> - httpd uses the new crypt API
>
> The docu
On Tue, Jun 06, 2017 at 02:20:38PM -0400, Bryan Steele wrote:
> >
> > - if (strlcpy(salt, bcrypt_gensalt(8), sizeof(salt)) >= sizeof(salt))
> > - errx(1, "salt too long");
> > - if (strlcpy(hash, bcrypt(pass, salt), sizeof(hash)) >= sizeof(hash))
> > - errx(1, "hash too lo
> The only thing against using automatic rounds would be having them guessed on
> a
> weaker machine and used on a more powerful server - doubt though that would
> ever
> pick something below 8 rounds.
I don't see the concern. It has a lower bound.
On Tue, Jun 06, 2017 at 12:28:59PM -0600, Theo de Raadt wrote:
> > The only thing against using automatic rounds would be having them guessed
> > on a
> > weaker machine and used on a more powerful server - doubt though that would
> > ever
> > pick something below 8 rounds.
>
> I don't see the c
When talking about this with mulander@ it came out that the docs could
use a touch.
The commit message for the diff that didn't update the docs was:
permit "bcrypt" as an alias for "blowfish". this is, after all, what
99% of the world calls it.
allow just "bcrypt" without params to me
On Tue, Jun 06, 2017 at 09:16:08PM +0200, Michal Mazurek wrote:
> When talking about this with mulander@ it came out that the docs could
> use a touch.
>
> The commit message for the diff that didn't update the docs was:
>
> permit "bcrypt" as an alias for "blowfish". this is, after all, what
On 20:49:05, 6.06.17, Jason McIntyre wrote:
> right now this man page suggests that people will use "bcrypt,a"
> to "automatically suggest rounds based on system performance". is
> that right? i'd have expected people to just use "bcrypt" (w/o
> args). in fact, why have "a" at all? why not just ha
On Tue, Jun 06, 2017 at 08:49:32PM +0200, Adam Wolk wrote:
> On Tue, Jun 06, 2017 at 12:28:59PM -0600, Theo de Raadt wrote:
> > > The only thing against using automatic rounds would be having them
> > > guessed on a
> > > weaker machine and used on a more powerful server - doubt though that
> > >
> On 20:49:05, 6.06.17, Jason McIntyre wrote:
> > right now this man page suggests that people will use "bcrypt,a"
> > to "automatically suggest rounds based on system performance". is
> > that right? i'd have expected people to just use "bcrypt" (w/o
> > args).
Because you can't change everythin
On Tue, Jun 06, 2017 at 08:29:23PM +, Florian Obser wrote:
> On Tue, Jun 06, 2017 at 08:49:32PM +0200, Adam Wolk wrote:
> > On Tue, Jun 06, 2017 at 12:28:59PM -0600, Theo de Raadt wrote:
> > > > The only thing against using automatic rounds would be having them
> > > > guessed on a
> > > > wea
Michal Mazurek wrote:
> Yes, the function seems a bit inconsistent, in that "bcrypt" means "bcrypt,a"
> but NULL means "bcrypt,8". awolk@ points out that the function is used in
> just a few places - src and some ports patches, so we should be able to
> change it. Judging by the commit message the
On 21:16:08, 6.06.17, Michal Mazurek wrote:
> When talking about this with mulander@ it came out that the docs could
> use a touch.
>
> The commit message for the diff that didn't update the docs was:
>
> permit "bcrypt" as an alias for "blowfish". this is, after all, what
> 99% of the w
Michal Mazurek wrote:
> When talking about this with mulander@ it came out that the docs could
> use a touch.
>
> The commit message for the diff that didn't update the docs was:
>
> permit "bcrypt" as an alias for "blowfish". this is, after all, what
> 99% of the world calls it.
> al
On 15:31:50, 10.06.17, Ted Unangst wrote:
> > @@ -58,17 +58,29 @@ The provided
> > .Fa password
> > is randomly salted and hashed and stored in
> > .Fa hash .
> > +.Fa hash
> > +must already be allocated, and
> > +.Fa hashsize
> > +must contain its size, which cannot be less than 61 bytes.
>
>
Michal Mazurek wrote:
> On 15:31:50, 10.06.17, Ted Unangst wrote:
> > > @@ -58,17 +58,29 @@ The provided
> > > .Fa password
> > > is randomly salted and hashed and stored in
> > > .Fa hash .
> > > +.Fa hash
> > > +must already be allocated, and
> > > +.Fa hashsize
> > > +must contain its size, w
16 matches
Mail list logo
