Use of debian as base image disallows use of bcrypt for password hashes #29
Comments
|
nginx supports whatever is supported by libc on the system. Therefore, I suggest convincing Debian/Ubuntu libc maintainers to add bcrypt support (there are good reasons not to, see https://wiki.ubuntu.com/SecurityTeam/FAQ "SHA512-crypt as default"). |
|
And that being said, I do not really see a point of moving nginx docker image to a different base OS, considering two facts:
|
|
@thresheek Debating whether SHA-2 or bcrypt is better is beside the point. In fact, there isn't enough information to come to a proper decision. We can leave that to cryptographers. The issue is that the decision has already been made for something that is not 100% certain. If you read SHA512-crypt as default, they have made the decision for the user, rather than providing choices. Users should not have decisions made about their security-level based on the side-effect choice that the base operating system for a docker container chose not to include bcrypt in the libc implementation. This may be considered an nginx-level bug, since delegating the OS wrecks configuration portability. |
|
I agree with you on the crypto part, however I do not see how it can be fixed for this docker image. |
|
bcrypt support is now available with nginx:alpine tag, where nginx is built on top of alpine linux distribution, which has bcrypt in its libc. |
|
@thresheek Thanks! |
Please see distribution/distribution#655 for details, but the use of bcrypt with htpasswd results in the following errors:
Hunting this down shows this is dependent on the version of gcc shipped with debian. An inspection of ubuntu's crypt manpage shows it has support, although this is untested.
Either the base image needs to updated to support the modern password hashing scheme or libc needs to be recompiled for the base image.
The text was updated successfully, but these errors were encountered: