What do you think about allowing multiple encryption methods to be handled?
For example, I've got a database full of UNIX crypt passwords that we'd like to migrate over to MD5. That's not really easy because we'd break all our client accounts.
However, if I could do something like:
AuthMySQLPwEncryption "md5 crypt none"
in the httpd.conf file, and it tells mod_auth_mysql to check with md5, if that fails, try crypt and if that fails, try plain text. We could cutover to MD5 passwords, and then just let users slowly migrate -- the next time they change their password in our system, it'll be changed using MD5 instead of crypt. Over time everybody's passwords will eventually become MD5 and we can phase out the crypt stuff.
I've been doing some hacking on the source and I believe I have it working so that it'll try the specified encryption algorithms, please let me know if you are interested. However, I haven't implemented the "ordering" yet so that it'll check via the order that the parameters are specified. Not really sure that's a big deal.
Also, I'd be very happy to know if this is a *bad idea* altogether....
Thanks.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I don't think it's a *bad* idea - but it is a *new* one! :-)
I don't see too much of a problem here. We would have to parse the encryption string and run the password authentication code in a loop, trying each one in turn. But I think it could be done without much additional overhead.
I agree it would be easiest just to check in the order the parameters are specified.
I am definitey interested in your patch, also. With my schedule the way it's been, I haven't been able to spend as much time on this as I would have liked.
I do have a new version just about ready to come out; I'm doing final testing on it now. The biggest change is the addition of sha1 and aes encryptions to the code, but I'm also doing a rewrite of the doc to make it easier to understand. My goal was to have it out by December 1st, but I obviously didn't make it :-). Hopefully by the end of this week.
In the meantime, could you please post this as an RFE (Request for Enhancement)? It's a much better place to post things like this because it allows us to track the request.
Thanks,
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
What do you think about allowing multiple encryption methods to be handled?
For example, I've got a database full of UNIX crypt passwords that we'd like to migrate over to MD5. That's not really easy because we'd break all our client accounts.
However, if I could do something like:
AuthMySQLPwEncryption "md5 crypt none"
in the httpd.conf file, and it tells mod_auth_mysql to check with md5, if that fails, try crypt and if that fails, try plain text. We could cutover to MD5 passwords, and then just let users slowly migrate -- the next time they change their password in our system, it'll be changed using MD5 instead of crypt. Over time everybody's passwords will eventually become MD5 and we can phase out the crypt stuff.
I've been doing some hacking on the source and I believe I have it working so that it'll try the specified encryption algorithms, please let me know if you are interested. However, I haven't implemented the "ordering" yet so that it'll check via the order that the parameters are specified. Not really sure that's a big deal.
Also, I'd be very happy to know if this is a *bad idea* altogether....
Thanks.
Hello,
I don't think it's a *bad* idea - but it is a *new* one! :-)
I don't see too much of a problem here. We would have to parse the encryption string and run the password authentication code in a loop, trying each one in turn. But I think it could be done without much additional overhead.
I agree it would be easiest just to check in the order the parameters are specified.
I am definitey interested in your patch, also. With my schedule the way it's been, I haven't been able to spend as much time on this as I would have liked.
I do have a new version just about ready to come out; I'm doing final testing on it now. The biggest change is the addition of sha1 and aes encryptions to the code, but I'm also doing a rewrite of the doc to make it easier to understand. My goal was to have it out by December 1st, but I obviously didn't make it :-). Hopefully by the end of this week.
In the meantime, could you please post this as an RFE (Request for Enhancement)? It's a much better place to post things like this because it allows us to track the request.
Thanks,
Jerry
Hi,
All my MYSQL databases are using the built password() which is MD5 for all my passwords. It would be great if I was able to use your MD5 patch.
I am not sure how I can convert MD5 to crypt so your idea would be great for me.