[rt-users] patch for configurable crypt method?
alexmv at bestpractical.com
Fri Dec 26 14:36:31 EST 2014
On 12/19/2014 04:00 PM, Jo Rhett wrote:
> While I am very glad to see RT upgrade to blowfish/bcrypt password
> encryption with RT4 it has created a problem for sites which
> synchronize passwords. Some systems (even modern Red Hat/CentOS) have
> no bcrypt support in glibc.
> I haven’t looked in depth, but it appears from the patches that
> bcrypt is hardcoded. Would BP accept a patch which enables a
> configuration parameter to select the crypt method?
I don't think we'd take a general patch to do so, no -- though patching
it locally shouldn't be too difficult.
Note, however, that RT 3 used an unsalted MD5 (which is totally
insecure), or (after RT 3.8.9) a truncated SHA-256 of a salted MD5 of
the password -- which certainly wasn't portable. You have to go back to
RT 2.0 to get a password hash in the database that is perhaps portable,
which is the not-terribly-secure crypt(). As such, any solution which
synchronized passwords with RT previously must have had custom code; one
can presumably use a user-space implementation of bcrypt there.
More information about the rt-users