nginx hits crit error when encountering a bcript password hash in auth basic user file

Asked by Shane O'Sullivan on 2015-02-28

when utilising auth_basic with a user file, nginx hits a crit error for any password encrypted with bcript. Error as such:

2015/02/28 16:18:20 [crit] 13638#0: *9 crypt_r() failed (22: Invalid argument), client: XXX.XXX.XXX.XXX, server: XXX.XXXXX.net, request: "GET / HTTP/1.1", host: "XXX.XXXXX.net"

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu nginx Edit question
Assignee:
Thomas Ward Edit question
Last query:
2015-03-01
Last reply:
2016-03-23
Thomas Ward (teward) said : #1

What version of NGINX are you using, and what Ubuntu version?

You can find the Ubuntu version information from: lsb_release -a

Please also include the information from these two commands:
nginx -V
apt-cache policy nginx

Please put all output from these commands in as either a comment or an edit to your question. Specify which output is from which command as well.

Shane O'Sullivan (hitsuji) said : #2

lsb_release -a:

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.2 LTS
Release: 14.04
Codename: trusty

nginx -V:

nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module

apt-cache policy nginx:

nginx:
  Installed: 1.4.6-1ubuntu3.2
  Candidate: 1.4.6-1ubuntu3.2
  Version table:
 *** 1.4.6-1ubuntu3.2 0
        500 http://ubuntu.mirrors.ovh.net/ftp.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.4.6-1ubuntu3.1 0
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     1.4.6-1ubuntu3 0
        500 http://ubuntu.mirrors.ovh.net/ftp.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Thomas Ward (teward) said : #3

On a plain Ubuntu / Linux installation, there is usually not any bcrypt support. Therefore, it appears to me that bcrypt might not be supported (however, the hashing done by the apache2-utils htpassword command is supported).

How did you create your password file for auth_basic?

Shane O'Sullivan (hitsuji) said : #4

I used htpasswd provided by apache2-utils (with flags -cBC 12) to generate the user file. I had assumed that bcrypt support was included in nginx considering that it's the only hashing function that's considered secure and not easily brute forced.

Thomas Ward (teward) said : #5

Let me run some more tests - it's possible that bcrypt support wasn't installed into your system - on a default Linux it wouldn't be. Did you generate the htpasswd file from the server or on your own machine?

Shane O'Sullivan (hitsuji) said : #6

Yes, the htpasswd file was generated on the server running nginx.

Thomas Ward (teward) said : #7

From testing and discussion with other nginx users and people who might know more than even I, we are not even certain that the apache2-utils htpasswd function is using the system libraries (like glibc/crypt) or whether it has its own libraries.

Per http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html:

The following password types are supported:
* encrypted with the crypt() function; can be generated using the “htpasswd” utility from the Apache HTTP Server distribution or the “openssl passwd” command;
* hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools;
* specified by the “{scheme}data” syntax (1.0.3+) as described in RFC 2307; currently implemented schemes include PLAIN (an example one, should not be used), SHA (1.3.13) (plain SHA-1 hashing, should not be used) and SSHA (salted SHA-1 hashing, used by some software packages, notably OpenLDAP and Dovecot).

I ran some tests myself and was able to replicate these same exact errors - it looks to me like bcrypt (via htpasswd) might not be supported as of yet on the auth_basic module, but I'll keep looking into it.

Thomas Ward (teward) said : #8

The answer to this has not yet changed. It does not appear that bcrypt is currently supported.

Can you help with this problem?

Provide an answer of your own, or ask Shane O'Sullivan for more information if necessary.

To post a message you must log in.