nginx hits crit error when encountering a bcript password hash in auth basic user file

Asked by Shane O'Sullivan

when utilising auth_basic with a user file, nginx hits a crit error for any password encrypted with bcript. Error as such:

2015/02/28 16:18:20 [crit] 13638#0: *9 crypt_r() failed (22: Invalid argument), client: XXX.XXX.XXX.XXX, server:, request: "GET / HTTP/1.1", host: ""

Question information

English Edit question
Ubuntu nginx Edit question
Thomas Ward Edit question
Last query:
Last reply:
Revision history for this message
Thomas Ward (teward) said :

What version of NGINX are you using, and what Ubuntu version?

You can find the Ubuntu version information from: lsb_release -a

Please also include the information from these two commands:
nginx -V
apt-cache policy nginx

Please put all output from these commands in as either a comment or an edit to your question. Specify which output is from which command as well.

Revision history for this message
Shane O'Sullivan (hitsuji) said :

lsb_release -a:

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.2 LTS
Release: 14.04
Codename: trusty

nginx -V:

nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/ --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module

apt-cache policy nginx:

  Installed: 1.4.6-1ubuntu3.2
  Candidate: 1.4.6-1ubuntu3.2
  Version table:
 *** 1.4.6-1ubuntu3.2 0
        500 trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.4.6-1ubuntu3.1 0
        500 trusty-security/main amd64 Packages
     1.4.6-1ubuntu3 0
        500 trusty/main amd64 Packages

Revision history for this message
Thomas Ward (teward) said :

On a plain Ubuntu / Linux installation, there is usually not any bcrypt support. Therefore, it appears to me that bcrypt might not be supported (however, the hashing done by the apache2-utils htpassword command is supported).

How did you create your password file for auth_basic?

Revision history for this message
Shane O'Sullivan (hitsuji) said :

I used htpasswd provided by apache2-utils (with flags -cBC 12) to generate the user file. I had assumed that bcrypt support was included in nginx considering that it's the only hashing function that's considered secure and not easily brute forced.

Revision history for this message
Thomas Ward (teward) said :

Let me run some more tests - it's possible that bcrypt support wasn't installed into your system - on a default Linux it wouldn't be. Did you generate the htpasswd file from the server or on your own machine?

Revision history for this message
Shane O'Sullivan (hitsuji) said :

Yes, the htpasswd file was generated on the server running nginx.

Revision history for this message
Thomas Ward (teward) said :

From testing and discussion with other nginx users and people who might know more than even I, we are not even certain that the apache2-utils htpasswd function is using the system libraries (like glibc/crypt) or whether it has its own libraries.


The following password types are supported:
* encrypted with the crypt() function; can be generated using the “htpasswd” utility from the Apache HTTP Server distribution or the “openssl passwd” command;
* hashed with the Apache variant of the MD5-based password algorithm (apr1); can be generated with the same tools;
* specified by the “{scheme}data” syntax (1.0.3+) as described in RFC 2307; currently implemented schemes include PLAIN (an example one, should not be used), SHA (1.3.13) (plain SHA-1 hashing, should not be used) and SSHA (salted SHA-1 hashing, used by some software packages, notably OpenLDAP and Dovecot).

I ran some tests myself and was able to replicate these same exact errors - it looks to me like bcrypt (via htpasswd) might not be supported as of yet on the auth_basic module, but I'll keep looking into it.

Revision history for this message
Thomas Ward (teward) said :

The answer to this has not yet changed. It does not appear that bcrypt is currently supported.

Can you help with this problem?

Provide an answer of your own, or ask Shane O'Sullivan for more information if necessary.

To post a message you must log in.