1

Does anyone know of (simple) way to use PBKDF2 or BCrypt as a password hash within Apache HTTPD.

The general scenario is that I have a resource in /private that I would like to restrict to a given group of users. Those users will have passwords stored in a database and verified using a mod_auth_dbd.

I would like to get away from using SSHA.

I can see in the Apache apr-util that there is a function apr_password_validate (which handles all the now frowned upon hash types); and in apr_crypto_openssl.c there is crypto_passphrase which is an implementation of PBKDF2.

Has anyone welded the two together? (or have I just missed something obvious somewhere in the Apache docs?)

Ben Walding
  • 201
  • 3
  • 9

2 Answers2

1

So after further review, it seems that everything was a lot simpler than I'd imagined.

HTTPD uses the system provided crypt function, and so leverages its modularity.

http://en.wikipedia.org/wiki/Crypt_(Unix)#Modular_crypt.283.29_Algorithms

In theory it supports BCrypt directly (although I did not test it). I did test SHA-512 using the $6 prefix.

So setting a password as calculated below achieves the desired result:

salt = 'fGn9LR75';
puts 'quohjo5oor4ac3Deolei'.crypt('$6$' + salt);
=>    
"$6$fGn9LR75$juRSrMtKBa8pdZ8tbTouUvDItoF9Fp.LVk8Kqv2ZL5T.R.q/nUQNGePve1Ge/8rDf/xqUwgpY.3F1MQ0qtauf0"
Ben Walding
  • 201
  • 3
  • 9
0

For future searchers, note that bcrypt support was added to Apache in version 2.4.4, released in February 2013.

$ htpasswd -nbB -C 11 username password username:$2y$11$p1icdLB/EqI2z2EPt6JrQOUdy1GzHg5GdDWcwdj3MIXJLSkgrILoa

Royce Williams
  • 1,362
  • 8
  • 16