From ac45e40b4d3cdc2497d5b6f5efe7d8a927beca21 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 4 May 2024 12:03:19 +0200 Subject: Merging upstream version 2.4.59. Signed-off-by: Daniel Baumann --- docs/manual/programs/htpasswd.html.en | 90 ++++++++++++++++++++++++----------- 1 file changed, 62 insertions(+), 28 deletions(-) (limited to 'docs/manual/programs/htpasswd.html.en') diff --git a/docs/manual/programs/htpasswd.html.en b/docs/manual/programs/htpasswd.html.en index 9c219e1..98689b4 100644 --- a/docs/manual/programs/htpasswd.html.en +++ b/docs/manual/programs/htpasswd.html.en @@ -38,17 +38,18 @@

Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by htpasswd. This program can only manage usernames and passwords stored in a flat-file. It - can encrypt and display password information for use in other types of data + can hash and display password information for use in other types of data stores, though. To use a DBM database see dbmmanage or htdbm.

-

htpasswd encrypts passwords using either bcrypt, - a version of MD5 modified for Apache, SHA1, or the system's - crypt() routine. Files - managed by htpasswd may contain a mixture of different encoding - types of passwords; some - user records may have bcrypt or MD5-encrypted passwords while others in the - same file may have passwords encrypted with crypt().

+

htpasswd hashes passwords using either bcrypt, a + version of MD5 modified for Apache, SHA-1, or the system's + crypt() routine. SHA-2-based hashes (SHA-256 and + SHA-512) are supported for crypt(). Files managed by + htpasswd may contain a mixture of different encoding + types of passwords; some user records may have bcrypt or + MD5-hashed passwords while others in the same file may have + passwords hashed with crypt().

This manual page only lists the command line arguments. For details of the directives necessary to configure user authentication in @@ -71,9 +72,12 @@ distribution.

  • Comments
  • [ -i ] [ -m | -B | + -2 | + -5 | -d | -s | -p ] + [ -r rounds ] [ -C cost ] [ -D ] [ -v ] passwdfile username

    @@ -82,9 +86,12 @@ distribution.
  • Comments
  • [ -c ] [ -m | -B | + -2 | + -5 | -d | -s | -p ] + [ -r rounds ] [ -C cost ] [ -D ] [ -v ] passwdfile username @@ -94,17 +101,23 @@ distribution.
  • Comments
  • [ -i ] [ -m | -B | + -2 | + -5 | -d | -s | -p ] + [ -r rounds ] [ -C cost ] username

    htpasswd -nb [ -m | - -B | + -B | + -2 | + -5 | -d | -s | -p ] + [ -r rounds ] [ -C cost ] username password

    top
    @@ -134,29 +147,44 @@ distribution.
  • Comments
  • one) is omitted. It cannot be combined with the -c option.
    -m
    -
    Use MD5 encryption for passwords. This is the default (since version +
    Use MD5 hashing for passwords. This is the default (since version 2.2.18).
    +
    -2
    +
    Use SHA-256 crypt() based hashes for passwords. This is + supported on most Unix platforms.
    + +
    -5
    +
    Use SHA-512 crypt() based hashes for passwords. This is + supported on most Unix platforms.
    +
    -B
    -
    Use bcrypt encryption for passwords. This is currently considered to +
    Use bcrypt hashing for passwords. This is currently considered to be very secure.
    -C
    This flag is only allowed in combination with -B (bcrypt - encryption). It sets the computing time used for the bcrypt algorithm + hashing). It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17).
    +
    -r
    +
    This flag is only allowed in combination with -2 + or -5. It sets the number of hash rounds used for the + SHA-2 algorithms (higher is more secure but slower; the default is + 5,000).
    +
    -d
    -
    Use crypt() encryption for passwords. This is not +
    Use crypt() hashing for passwords. This is not supported by the httpd server on Windows and Netware. This algorithm limits the password length to 8 characters. This algorithm is insecure by today's standards. It used to be the default algorithm until version 2.2.17.
    -s
    -
    Use SHA encryption for passwords. Facilitates migration from/to Netscape - servers using the LDAP Directory Interchange Format (ldif). - This algorithm is insecure by today's standards.
    +
    Use SHA-1 (160-bit) hashing for passwords. Facilitates migration + from/to Netscape servers using the LDAP Directory Interchange + Format (ldif). This algorithm is insecure by + today's standards.
    -p
    Use plaintext passwords. Though htpasswd will support @@ -183,7 +211,7 @@ distribution.
  • Comments
  • does exist, the password is changed.
    password
    -
    The plaintext password to be encrypted and stored in the file. Only +
    The plaintext password to be hashed and stored in the file. Only used with the -b flag.
    top
    @@ -208,7 +236,7 @@ distribution.
  • Comments
  • Adds or modifies the password for user jsmith. The user - is prompted for the password. The password will be encrypted using the + is prompted for the password. The password will be hashed using the modified Apache MD5 algorithm. If the file does not exist, htpasswd will do nothing except return an error.

    @@ -239,29 +267,35 @@ distribution.
  • Comments
  • setuid.

    The use of the -b option is discouraged, since when it is - used the unencrypted password appears on the command line.

    + used the plaintext password appears on the command line.

    When using the crypt() algorithm, note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded.

    -

    The SHA encryption format does not use salting: for a given password, - there is only one encrypted representation. The crypt() and - MD5 formats permute the representation by prepending a random salt string, - to make dictionary attacks against the passwords more difficult.

    +

    The SHA-1 hashing format does not use salting: for a given + password, there is only one hashed representation. The + crypt() and MD5 formats permute the representation by + prepending a random salt string, to make dictionary attacks + against the passwords more difficult.

    + +

    The SHA-1 and crypt() formats are insecure by + today's standards.

    -

    The SHA and crypt() formats are insecure by today's - standards.

    +

    The SHA-2-based crypt() formats (SHA-256 and + SHA-512) are supported on most modern Unix systems, and follow the + specification at https://www.akkadia.org/drepper/SHA-crypt.txt.

    +
    top

    Restrictions

    -

    On the Windows platform, passwords encrypted with +

    On the Windows platform, passwords hashed with htpasswd are limited to no more than 255 characters in length. Longer passwords will be truncated to 255 characters.

    The MD5 algorithm used by htpasswd is specific to the Apache - software; passwords encrypted using it will not be usable with other Web + software; passwords hashed using it will not be usable with other Web servers.

    Usernames are limited to 255 bytes and may not include the @@ -295,7 +329,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/programs/htpasswd.ht } })(window, document); //-->