Does anyone know of (simple) way to use PBKDF2 or BCrypt as a password hash within Apache HTTPD.
The general scenario is that I have a resource in /private that I would like to restrict to a given group of users. Those users will have passwords stored in a database and verified using a mod_auth_dbd
.
I would like to get away from using SSHA.
I can see in the Apache apr-util that there is a function apr_password_validate
(which handles all the now frowned upon hash types); and in apr_crypto_openssl.c there is crypto_passphrase
which is an implementation of PBKDF2.
Has anyone welded the two together?
(or have I just missed something obvious somewhere in the Apache docs?)
Best Answer
So after further review, it seems that everything was a lot simpler than I'd imagined.
HTTPD uses the system provided crypt function, and so leverages its modularity.
http://en.wikipedia.org/wiki/Crypt_(Unix)#Modular_crypt.283.29_Algorithms
In theory it supports BCrypt directly (although I did not test it). I did test SHA-512 using the $6 prefix.
So setting a password as calculated below achieves the desired result: