HtpasswdFile does not support bcrypt

Issue #55 resolved
Anonymous created an issue

(Imported from Google Code)

pdewacht wrote:

What steps will reproduce the problem?

Add an htpasswd entry using the bcrypt algorithm:

htpasswd -B htaccess user pass

Such entries look like this:

user:$2y$05$kULiDItN3P8bapkSxDRdY.a2u/R4rvVdU71UlWwgRwG4RJ6htAUcO

passlib cannot verify this.

What version of the passlib & python are you using? On what operating
system?

Python 3.2.3, passlib 1.6.2

Please provide any additional information below.

See Apache PR 49288 for more information:
https://bz.apache.org/bugzilla/show_bug.cgi?id=49288

Comments (2)

  1. Eli Collins repo owner
    • changed status to open
    • changed Milestone to 1.6.3

    (Imported from Google Code)

    Nice catch, I wasn't aware they'd finally added support. I'll definitely get that added in.

    I should be able to get support added into the 1.6.3 release going out later this week. Once that's out, you should be able to do HtpasswdFile(default_scheme="bcrypt") to have it generate bcrypt hashes by default (it'll recognize them regardless).

    I'd like to make it the default for security reasons, but that might cause some portability issues, and I don't want to do it in a bugfix release. So that will probably be delayed until the 1.7 release.

    In the meantime, there's a obscurely documented option in HtpasswdFile which allows you to pass in a custom CryptContext instance, with arbitrary hashes and configuration. Doing HtpasswdFile(context=CryptContext(["bcrypt", "apr_md5_crypt", "des_crypt", "ldap_sha1", "plaintext"])) should create a HtpasswdFile instance with bcrypt support that works even under 1.6.2.

  2. Log in to comment