Priority: Normal
Current State: Closed
Released In: 1.1.4
Target Release: patch
So, add a link the support web
--
PaulHarvey - 08 Jul 2011
HtPasswdEncodingSupplement - please review
--
PaulHarvey - 08 Jul 2011
Nice Image on the docu. crypt should be deprecated due to its 8 chars limitations some users arent even aware of. Moving away from crypt will improve the overall security standards of installed foswikis out there.
--
MichaelDaum - 09 Jul 2011
Thank you for feedback. I just wanted more experienced eyes on the doc to make sure I hadn't cooked complete lies (I never used any alternative login/password manager).
--
PaulHarvey - 10 Jul 2011
Why do we seem to recommend against SHA1 for
ApacheLogin?
HtPasswdEncodingSupplement says
" you want to allow new users to register via Foswiki, then the only out-of-the-box solution is to use an md5 encoded .htpasswd file" however on my test server I was able to register and login with apache mod_auth with SHA1. So it seems to work fine, and better yet entries in .htpasswd are "tagged" with {sha} so the file can actually contain a mixture of crypt and sha entries. Apache is quite happy with the mixture. Though
ChangePassword doesn't seem to verify correctly.
BTW the "info" text does cover this in some detail for the entry in bin/configure. So instead of a supplemental document, can we expand a bit on the help for the field?
--
GeorgeClark - 11 Jul 2011
My problem was that it was a warning without a solution. Even if an admin thinks to click the info thing, they will still fail to find any firm advice on what to do.
So I thought this might be the type of documentation which would be better off living as a supplemental doc, but that probably just reflects my lack of confidence with this stuff.
If we can provide firm advice like "use sha1" (in which case that should be the default), then I'd be happy to see the supplemental doc disappear.
--
PaulHarvey - 11 Jul 2011
imo we should firmly advise the use of digest auth.
i
think it functions with templateauth (though we have not yet added a js encrypter, its only a matter of time) and it is certainly more functional (and actually more reliable on windows clients) and the other options
--
SvenDowideit - 11 Jul 2011
Digest auth does work fine with template auth. The changes I've made for
ImproveHtPaswdUserFlexibility addresses the documentation a bit better. The updated help text from configure is pasted in the development topic. Once the timer expires I'll commit the changes.
--
GeorgeClark - 16 Jul 2011
Setting this to waiting for release. The Htpasswd changes are considerably more extensive than this task covers.
--
GeorgeClark - 23 Jul 2011