From 7992e8ed13059859a0b17d9569a8081763df645f Mon Sep 17 00:00:00 2001 From: Eli Collins Date: Wed, 27 Jun 2012 15:58:17 -0400 Subject: md5_crypt deprecated by author, updated docs accordingly --- CHANGES | 2 ++ docs/lib/passlib.hash.apr_md5_crypt.rst | 11 ++++++++--- docs/lib/passlib.hash.md5_crypt.rst | 25 +++++++++++++++++-------- passlib/apache.py | 6 +++++- passlib/handlers/md5_crypt.py | 7 +++++++ 5 files changed, 39 insertions(+), 12 deletions(-) diff --git a/CHANGES b/CHANGES index 592758f..433deb2 100644 --- a/CHANGES +++ b/CHANGES @@ -15,6 +15,8 @@ Release History * Fixed bug in passlib.apache unittest which caused test to fail if filesystem had mtime resolution >= 1 second (:issue:`35`). + * Various documentation updates and corrections. + **1.6** (2012-05-01) ==================== diff --git a/docs/lib/passlib.hash.apr_md5_crypt.rst b/docs/lib/passlib.hash.apr_md5_crypt.rst index c441765..883f44e 100644 --- a/docs/lib/passlib.hash.apr_md5_crypt.rst +++ b/docs/lib/passlib.hash.apr_md5_crypt.rst @@ -4,12 +4,17 @@ :class:`passlib.hash.apr_md5_crypt` - Apache's MD5-Crypt variant ====================================================================== +.. warning:: + + As of 2012-6-7, the MD5-Crypt algorithm is "no longer considered safe" + by it's author, who urges migration to newer hash algorithms. + .. currentmodule:: passlib.hash -This format is a variation of :class:`~passlib.hash.md5_crypt`, +This hash is a variation of :class:`~passlib.hash.md5_crypt`, primarily used by the Apache webserver in ``htpasswd`` files. -It contains only minor changes to the md5-crypt algorithm, -and should be considered just as strong / weak as md5-crypt itself. +It contains only minor changes to the MD5-Crypt algorithm, +and should be considered just as weak as MD5-Crypt itself. .. seealso:: diff --git a/docs/lib/passlib.hash.md5_crypt.rst b/docs/lib/passlib.hash.md5_crypt.rst index fefae6b..e10afcc 100644 --- a/docs/lib/passlib.hash.md5_crypt.rst +++ b/docs/lib/passlib.hash.md5_crypt.rst @@ -4,17 +4,25 @@ :class:`passlib.hash.md5_crypt` - MD5 Crypt ================================================================== +.. warning:: + + As of 2012-6-7, this algorithm is "no longer considered safe" + by it's author [#phk]_, citing the increased + speed of the MD5 hash on modern hardware, and MD5-Crypt's + lack of a variable time-cost parameter. See Passlib's + :ref:`recommended hashes ` for a replacement. + .. currentmodule:: passlib.hash This algorithm was developed for FreeBSD in 1994 by Poul-Henning Kamp, to replace the aging :class:`passlib.hash.des_crypt`. It has since been adopted by a wide variety of other Unix flavors, and is found in many other contexts as well. Due to it's origins, it's sometimes referred to as "FreeBSD MD5 Crypt". -Security-wise it is considered to be steadily weakening (due to fixed cost), -and most unix flavors have since replaced with with stronger schemes, -such as :class:`~passlib.hash.sha512_crypt` and :class:`~passlib.hash.bcrypt`. +Security-wise it should now be considered weak, +and most Unix flavors have since replaced it with stronger schemes +(such as :class:`~passlib.hash.sha512_crypt` and :class:`~passlib.hash.bcrypt`). -This is also referred to under Cisco IOS systems as a "type 5" hash. +This is also referred to on Cisco IOS systems as a "type 5" hash. The format and algorithm are identical, though Cisco seems to require 4 salt characters instead of the full 8 characters used by most systems [#cisco]_. @@ -150,15 +158,14 @@ The MD5-Crypt algorithm [#f1]_ calculates a checksum as follows: Security Issues =============== -MD5-Crypt has a couple of issues which have weakened it, -though it is not yet considered broken: +MD5-Crypt has a couple of issues which have weakened severely: * It relies on the MD5 message digest, for which theoretical pre-image attacks exist [#f2]_. However, not only is this attack still only theoretical, but none of MD5's weaknesses have been show to affect MD5-Crypt's security. -* The fixed number of rounds, combined with the availability - of high-throughput MD5 implementations, means this algorithm +* More seriously, it's fixed number of rounds (combined with the availability + of high-throughput MD5 implementations) means this algorithm is increasingly vulnerable to brute force attacks. It is this issue which has motivated it's replacement by new algorithms such as :class:`~passlib.hash.bcrypt` @@ -203,3 +210,5 @@ Passlib's implementation of md5-crypt differs from the reference implementation .. [#cisco] Note about Cisco Type 5 salt size - ``_. + +.. [#phk] Deprecation Announcement from Poul-Henning Kamp - ``_. diff --git a/passlib/apache.py b/passlib/apache.py index ce4dbb9..e985667 100644 --- a/passlib/apache.py +++ b/passlib/apache.py @@ -372,7 +372,11 @@ class _CommonFile(object): #========================================================= # FIXME: apr_md5_crypt technically the default only for windows, netware and tpf. -# TODO: find out if htpasswd's "crypt" mode is crypt *call* or just des_crypt implementation. +# TODO: find out if htpasswd's "crypt" mode is a crypt() *call* or just des_crypt implementation. +# if the former, we can support anything supported by passlib.hosts.host_context, +# allowing more secure hashes than apr_md5_crypt to be used. +# could perhaps add this behavior as an option to the constructor. +# c.f. http://httpd.apache.org/docs/2.2/programs/htpasswd.html htpasswd_context = CryptContext([ "apr_md5_crypt", # man page notes supported everywhere, default on Windows, Netware, TPF "des_crypt", # man page notes server does NOT support this on Windows, Netware, TPF diff --git a/passlib/handlers/md5_crypt.py b/passlib/handlers/md5_crypt.py index 6832dcf..ec8c773 100644 --- a/passlib/handlers/md5_crypt.py +++ b/passlib/handlers/md5_crypt.py @@ -237,6 +237,13 @@ class md5_crypt(uh.HasManyBackends, _MD5_Common): If not specified, one will be autogenerated (this is recommended). If specified, it must be 0-8 characters, drawn from the regexp range ``[./0-9A-Za-z]``. + :type salt_size: int + :param salt_size: + Optional number of characters to use when autogenerating new salts. + Defaults to 8, but can be any value between 0 and 8. + (This is mainly needed when generating Cisco-compatible hashes, + which require ``salt_size=4``). + :type relaxed: bool :param relaxed: By default, providing an invalid value for one of the other -- cgit v1.2.1