Bug 47162

Summary: [PATCH] crypto: read/write support for SSHA-1 (salted SHA-1)
Product: APR Reporter: Ben Noordhuis <bnoordhuis>
Component: APR-utilAssignee: Apache Portable Runtime bugs mailinglist <bugs>
Status: NEW ---    
Severity: enhancement    
Priority: P2    
Version: HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: SSHA-1 read support.
SSHA-1 write support.

Description Ben Noordhuis 2009-05-06 15:23:04 UTC 
Section 14.4.1 of the OpenLDAP admin guide:

"This is the salted version of the SHA scheme. It is believed to be the most secure password storage scheme supported by slapd."

http://www.openldap.org/doc/admin24/security.html#SSHA%20password%20storage%20scheme

Attached are two patches that add read and write support for SSHA-1. We've been running this code in production for nine months now and with no hiccups, on a platform with ~120,000 customers.

I imagine the write support belongs further upstream as it patches support/ht{passwd,dbm}.c, but since it relies on a patched apr-util, I'll post it here instead.

Why, apart from security, is this useful? I can present at least one use case (ours): when migrating from LDAP-based authentication to .htaccess authentication.
Comment 1 Ben Noordhuis 2009-05-06 15:23:56 UTC 
Created attachment 23621 [details]
SSHA-1 read support.
Comment 2 Ben Noordhuis 2009-05-06 15:24:29 UTC 
Created attachment 23622 [details]
SSHA-1 write support.
Comment 3 Stefan Fritsch 2012-09-07 19:41:39 UTC 
(In reply to comment #0)
> Why, apart from security, is this useful? I can present at least one use
> case (ours): when migrating from LDAP-based authentication to .htaccess
> authentication.

AFAICS, SSHA-1 uses only one round of SHA-1, so it's rather insecure. I don't want to add more insecure hash algorithms to htpasswd. But I would accept the use case of moving from LDAP-based authentication to file based authentication. But for that, only the verify ("read") support would be needed. Do you agree that verify support alone would be useful?