Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

please don't default to crypt #96

Open
FlorianHeigl opened this issue Nov 10, 2015 · 1 comment
Open

please don't default to crypt #96

FlorianHeigl opened this issue Nov 10, 2015 · 1 comment
Labels
enhancement

Comments

@FlorianHeigl
Copy link

Hi,

in the readme it says:

This backend use the crypt function, here an example where -d force the use of crypt encryption when generating the htpasswd file:

  • this application is running with root permissions
  • has access to all containers
  • has access to the base system

Please at least have your documentation not run people right into the most insecure encryption they could use.
Maybe rather show how to do it with auth on the frontend webserver if it's too hard to change in lxc?
@claudyus
Copy link
Owner

Hi @FlorianHeigl thanks for your comment.
The htpasswd backend was proposed by @mihu and is now in
https://github.com/claudyus/LXC-Web-Panel/blob/master/lwp/authenticators/htpasswd.py

Feel free to propose a PR to improve it.

I don't see any security problem in using crypt to store passwd here. If your lxc host is compromised by an attacker (and he can read the htpasswd file) reverse the encryption to retrieve the lwp password is the less dangerous thing that the attacker can do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@claudyus @FlorianHeigl