Basic Auth: deprecation of DES crypt · kubernetes/ingress-nginx#7251

(12 comments) (0 reactions) (0 assignees)Go (15,199 stars) (7,888 forks)batch import

help wantedkind/featurepriority/important-longterm

Description

When using a RHEL / CentOS / UBI 7 or 8 base image build of nginx several of the e2e tests fail due to DES deprecation with crypt.

ingress-nginx should default to SHA hashed passwords for basic auth, currently hashes generated from openssl passwd -crypt can replace -crypt with -6, and the following line should indicate a different hashing method in the salt, like foo:$6$

https://github.com/kubernetes/ingress-nginx/blob/b1c8e3047ba31d7ea78f6e0915d187db75230ba5/test/e2e/annotations/auth.go#L210

Without specifying a different hashing method in the salt the test will fail with a 500 code and a log message error like crypt_r() failed (22: Invalid argument) when using of the the above mentioned base images.

If the approach with updating the tests sounds acceptable I would be happy to submit a PR.

/kind feature

Contributor guide

Tech stack: go
Domain: backendtesting
Issue type: feature
Difficulty: 2
Estimated time: 1-3 hours
Activity status: stale
Clarity: clear
Prerequisites: Go programmingbasic auth conceptse2e testing experience
Newbie friendliness: 80
Research direction: Look at the test file at test/e2e/annotations/auth.go line 210. Currently it uses 'openssl passwd crypt' which generates DES hashes. Change the hash generation to use SHA 512 by modifying the salt in the test to start with '$6$'. Also ensure that the password hash in the test matches the new format. Run the e2e tests to verify they pass on RHEL/CentOS/UBI base images.