Item10952: configure {Htpasswd}{Encoding} defaults to crypt which throws a warning, without any guidance for what alternative to choose or why

So, add a link the support web

-- PaulHarvey - 08 Jul 2011

HtPasswdEncodingSupplement - please review

-- PaulHarvey - 08 Jul 2011

Nice Image on the docu. crypt should be deprecated due to its 8 chars limitations some users arent even aware of. Moving away from crypt will improve the overall security standards of installed foswikis out there.

-- MichaelDaum - 09 Jul 2011

Thank you for feedback. I just wanted more experienced eyes on the doc to make sure I hadn't cooked complete lies (I never used any alternative login/password manager).

-- PaulHarvey - 10 Jul 2011

Why do we seem to recommend against SHA1 for ApacheLogin? HtPasswdEncodingSupplement says " you want to allow new users to register via Foswiki, then the only out-of-the-box solution is to use an md5 encoded .htpasswd file" however on my test server I was able to register and login with apache mod_auth with SHA1. So it seems to work fine, and better yet entries in .htpasswd are "tagged" with {sha} so the file can actually contain a mixture of crypt and sha entries. Apache is quite happy with the mixture. Though ChangePassword doesn't seem to verify correctly.

BTW the "info" text does cover this in some detail for the entry in bin/configure. So instead of a supplemental document, can we expand a bit on the help for the field?

-- GeorgeClark - 11 Jul 2011

My problem was that it was a warning without a solution. Even if an admin thinks to click the info thing, they will still fail to find any firm advice on what to do.

So I thought this might be the type of documentation which would be better off living as a supplemental doc, but that probably just reflects my lack of confidence with this stuff.

If we can provide firm advice like "use sha1" (in which case that should be the default), then I'd be happy to see the supplemental doc disappear.

-- PaulHarvey - 11 Jul 2011

imo we should firmly advise the use of digest auth.

i think it functions with templateauth (though we have not yet added a js encrypter, its only a matter of time) and it is certainly more functional (and actually more reliable on windows clients) and the other options

-- SvenDowideit - 11 Jul 2011

Digest auth does work fine with template auth. The changes I've made for ImproveHtPaswdUserFlexibility addresses the documentation a bit better. The updated help text from configure is pasted in the development topic. Once the timer expires I'll commit the changes.

-- GeorgeClark - 16 Jul 2011

Setting this to waiting for release. The Htpasswd changes are considerably more extensive than this task covers.

-- GeorgeClark - 23 Jul 2011

Commenting is disabled while not logged in