Project

General

Profile

[Solved] Can't use bcrypt for http auth on Gentoo, but on Ubuntu, it works – why?

Added by l3u about 1 month ago

Hi :-)

I have a problem with a Gentoo machine I run. I have lighttpd 1.4.59 installed there. When I define some password-protected directory via

$HTTP["url"] =~ "^/test/" {
    auth.backend = "htpasswd" 
    auth.backend.htpasswd.userfile = "/etc/lighttpd/test.htpasswd" 
    auth.require = ( "" => ( "method" => "basic",
                             "realm"  => "test login",
                             "require" => "valid-user" ) )
}

and create a password file using htpasswd /etc/lighttpd/test.htpasswd test, e. g. the following file is created (using also "test" as a pasword):
test:$apr1$CTkRN1VJ$HbhH2TJ72oRWKBabGumT21

The login works as expected. But when I use bcrypt to hash the pasword using htpasswd -B /etc/lighttpd/test.htpasswd test, resultung in
test:$2y$05$YE/nvftdEeywb/wrZJm3nOQRha2XMndWSn/H.YeYsSDgCnCrC0Mh.

the login is not possible anymore. The password dialog pops up again after entering user name and password, and error.log contains something like:
2021-10-27 16:54:13: mod_auth.c.828) password doesn't match for /test/ username: test IP: 192.168.178.21

If I change the password again back to the default MD5/apr1 hashing, I can log in again.

I did suppose that lighttpd simply can't handle bcrypt hashed passwords, but on one of my servers running Ubuntu 20.04 and lighttpd 1.4.55, the very same setup does work without a problem with bcrypt hashed passwords.

So what's causing this? Why does it work with the Ubuntu version, but not with the Gentoo version? Thanks for all hints!


Replies (9)

RE: Can't use bcrypt for http auth on Gentoo, but on Ubuntu, it works – why? - Added by gstrauss about 1 month ago

This is likely a package management difference. Was lighttpd built with support for libcrypt?

$ lighttpd -V | grep "crypt support" 
    + crypt support

If you see - crypt support, then you are missing crypt support and that build of lighttpd mod_authn_file will not be able to handle bcrypt passwords.

RE: Can't use bcrypt for http auth on Gentoo, but on Ubuntu, it works – why? - Added by l3u about 1 month ago

It's the same output for the Gentoo and the Ubuntu box:

$ lighttpd -V | grep "crypt support" 
        + crypt support

RE: Can't use bcrypt for http auth on Gentoo, but on Ubuntu, it works – why? - Added by gstrauss about 1 month ago

I just tested lighttpd 1.4.60 on Fedora 34 and it works fine with test.htpasswd created using htpasswd -B ...

Did you create the test.htpasswd on the Gentoo system? Or was the htpasswd -B run on a different machine?
I know that is a stretch, but lighttpd works on other systems and does not differentiate "Ubuntu" vs "Gentoo" vs "Fedora" vs ...

Maybe double-check that mod_authn_file.so is linked with libcrypt.so.X ?
ldd /fill/in/path/to/mod_authn_file.so

If you are feeling adventurous, you might try to test-build lighttpd yourself on the Gentoo system.
lighttpd source code and build instructions

RE: Can't use bcrypt for http auth on Gentoo, but on Ubuntu, it works – why? - Added by l3u about 1 month ago

Yes, I created the hash on the machine that runs lighttpd.

mod_authn_dbi.so is linked to libcrypt.so:

$ ldd /usr/lib64/lighttpd/mod_authn_dbi.so
        linux-vdso.so.1 (0x00007ffe93be8000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f2ebcf2a000)
        libdbi.so.1 => /usr/lib64/libdbi.so.1 (0x00007f2ebcf17000)
        libcrypto.so.1.1 => /usr/lib64/libcrypto.so.1.1 (0x00007f2ebcc60000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f2ebcaa9000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f2ebcaa4000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2ebca85000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f2ebcf70000)

Actually, I DID compile lighttpd myself – on a Gentoo system, by default, each and every package you install is built from sources on that very machine anyway.

Normally, the other distributions make a choice what to include and what to leave out, and what to link against and what not due to packaging and dependencies, whereas on Gentoo, you can normally choose which features you would like to have. Because you can also adjust pulled libraries and rebuild them with some feature you need. So normally, it's the others who don't have something ;-)

It's obvious that there's no "Ubuntu Lighttpd" or a "Gentoo Lighttpd". My assumption was that Ubuntu may have patched something to make bcrypt work. Also, lighttpd's error log apparently doesn't differentiate between "The entered password didn't match" and "I couldn't check the password due to some strange issue".

I however filed a Gentoo bug about this, as this is at least unexpected behavior: https://bugs.gentoo.org/820524 would be cool if we could track this down somehow ...

RE: Can't use bcrypt for http auth on Gentoo, but on Ubuntu, it works – why? - Added by gstrauss about 1 month ago

If you are familiar with a debugger, you can run lighttpd under gdb and break at mod_authn_file_crypt_cmp(), and see what strings are compared in strcmp() after the call to crypt() (as long as crypt() does not return NULL).

If you are comfortable patching the lighttpd code and rebuilding, you can confirm that lighttpd is using crypt():

--- a/src/mod_authn_file.c
+++ b/src/mod_authn_file.c
@@ -690,6 +690,7 @@ static handler_t mod_authn_file_htpasswd_basic(request_st * const r, void *p_d,
      * everything else should be longer */
     else if (tblen >= 13) {
         rc = mod_authn_file_crypt_cmp(tb, pw);
+log_error(r->conf.errh, __FILE__, __LINE__, "%s crypt() cmp rc:%d", __func__, rc);
     }
   #endif
     tblen = (tblen + 63) & ~63u;

BTW, I asked you to check ldd on mod_authn_file.so, not mod_authn_dbi.so, though if libcrypt.so.1 is linked in one, then it should be linked in the other. Regarding versioning, my Fedora 34 system is using libcrypto.so.2.0.0 from the libxcrypt RPM, version 4.4.26. My system also has libcrypto.so.1.1.0 from the libxcrypt-compat RPM. What version of libxcrypt is on your Gentoo system?

RE: Can't use bcrypt for http auth on Gentoo, but on Ubuntu, it works – why? - Added by l3u about 1 month ago

I'm not a gdb pro, but I'll see what I can do ;-) I'll compile a debug build, add your patch and post the result here.

Oh sorry, I ldd'd the wrong file ;-) Here's the output for mod_authn_file.so:

$ ldd /usr/lib64/lighttpd/mod_authn_file.so
        linux-vdso.so.1 (0x00007ffd8a1c3000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fa885660000)
        libcrypto.so.1.1 => /usr/lib64/libcrypto.so.1.1 (0x00007fa8853a9000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fa8851f2000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007fa8851ed000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa8851ce000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fa8856a8000)

The libcrypt.so.1 file belongs to sys-libs/glibc-2.33-r1 here.

RE: Can't use bcrypt for http auth on Gentoo, but on Ubuntu, it works – why? - Added by gstrauss about 1 month ago

I am curious: would you ldd /usr/bin/htpasswd ? Hopefully it also links with libcrypt.so.1 => /lib64/libcrypt.so.1

RE: Can't use bcrypt for http auth on Gentoo, but on Ubuntu, it works – why? - Added by gstrauss about 1 month ago

libxcrypt supports bcrypt: https://github.com/besser82/libxcrypt

From a really quick look at the source code (and a grep for 'blowfish'), I do not think glibc 2.33 libcrypt has support for bcrypt.
Gentoo: https://wiki.gentoo.org/wiki/Project:Toolchain/libcrypt_implementation
Arch: https://bugs.archlinux.org/task/67312 "[glibc][pam] Use libxcrypt to provide libcrypt"

RE: [Solved] Can't use bcrypt for http auth on Gentoo, but on Ubuntu, it works – why? - Added by l3u about 1 month ago

Just to also answer this:

$ ldd /usr/bin/htpasswd
        linux-vdso.so.1 (0x00007ffe33ffd000)
        libaprutil-1.so.0 => /usr/lib64/libaprutil-1.so.0 (0x00007f1b056a2000)
        libapr-1.so.0 => /usr/lib64/libapr-1.so.0 (0x00007f1b05664000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f1b05645000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f1b0560b000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f1b05454000)
        libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007f1b05423000)
        libuuid.so.1 => /lib64/libuuid.so.1 (0x00007f1b05418000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f1b0540e000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f1b05409000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f1b056dd000)

But actually, it looks like you could figure out the root cause for bcrypt not working. Thanks for tracking this down in no time :-) So this will fix itself when migrating to libxcrypt.

    (1-9/9)