From: Nick Kew Date: Sat, 16 Dec 2006 22:01:53 +0000 (+0000) Subject: PR#40950: backport security note to htpasswd/htdigest docs. X-Git-Tag: 2.2.4~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bfe39256272b1c84074f20ea336d57c4f84abe8d;p=thirdparty%2Fapache%2Fhttpd.git PR#40950: backport security note to htpasswd/htdigest docs. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@487905 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/programs/htdigest.xml b/docs/manual/programs/htdigest.xml index e6bdf484223..fc9df711a6e 100644 --- a/docs/manual/programs/htdigest.xml +++ b/docs/manual/programs/htdigest.xml @@ -66,4 +66,9 @@ +
Security Considerations +

This program is not safe as a setuid executable. Do not make it + setuid.

+
+ diff --git a/docs/manual/programs/htpasswd.xml b/docs/manual/programs/htpasswd.xml index 8b7a915d3a0..6e613d08730 100644 --- a/docs/manual/programs/htpasswd.xml +++ b/docs/manual/programs/htpasswd.xml @@ -188,8 +188,20 @@ distribution. not be within the Web server's URI space -- that is, they should not be fetchable with a browser.

+

This program is not safe as a setuid executable. Do not make it + setuid.

+

The use of the -b option is discouraged, since when it is used the unencrypted password appears on the command line.

+ +

When using the crypt() algorithm, note that only the first + 8 characters of the password are used to form the password. If the supplied + password is longer, the extra characters will be silently discarded.

+ +

The SHA encryption format does not use salting: for a given password, + there is only one encrypted representation. The crypt() and + MD5 formats permute the representation by prepending a random salt string, + to make dictionary attacks against the passwords more difficult.

Restrictions