using salted sha512 for htpasswd by default

2026-01-29 09:01:54 +08:00 · 2025-02-11 16:55:45 +02:00
parent 800d2724b8
commit de4f1903aa
8 changed files with 88 additions and 29 deletions
--- a/kvmd/apps/htpasswd/init.py
+++ b/kvmd/apps/htpasswd/init.py
@@ -30,14 +30,14 @@ import argparse

 from typing import Generator

-import passlib.apache
-
 from ...yamlconf import Section

 from ...validators import ValidatorError
 from ...validators.auth import valid_user
 from ...validators.auth import valid_passwd

+from ...crypto import KvmdHtpasswdFile
+
 from .. import init


@@ -50,7 +50,7 @@ def _get_htpasswd_path(config: Section) -> str:


@contextlib.contextmanager
-def _get_htpasswd_for_write(config: Section) -> Generator[passlib.apache.HtpasswdFile, None, None]:
+def _get_htpasswd_for_write(config: Section) -> Generator[KvmdHtpasswdFile, None, None]:
    path = _get_htpasswd_path(config)
    (tmp_fd, tmp_path) = tempfile.mkstemp(
        prefix=f".{os.path.basename(path)}.",
@@ -65,7 +65,7 @@ def _get_htpasswd_for_write(config: Section) -> Generator[passlib.apache.Htpassw
                os.fchmod(tmp_fd, st.st_mode)
        finally:
            os.close(tmp_fd)
-        htpasswd = passlib.apache.HtpasswdFile(tmp_path)
+        htpasswd = KvmdHtpasswdFile(tmp_path)
        yield htpasswd
        htpasswd.save()
        os.rename(tmp_path, path)
@@ -96,7 +96,7 @@ def _print_invalidate_tip(prepend_nl: bool) -> None:

 # ====
 def _cmd_list(config: Section, _: argparse.Namespace) -> None:
-    for user in sorted(passlib.apache.HtpasswdFile(_get_htpasswd_path(config)).users()):
+    for user in sorted(KvmdHtpasswdFile(_get_htpasswd_path(config)).users()):
        print(user)


--- a/kvmd/crypto.py
+++ b/kvmd/crypto.py
@@ -0,0 +1,58 @@
+# ========================================================================== #
+#                                                                            #
+#    KVMD - The main PiKVM daemon.                                           #
+#                                                                            #
+#    Copyright (C) 2018-2024  Maxim Devaev <mdevaev@gmail.com>               #
+#                                                                            #
+#    This program is free software: you can redistribute it and/or modify    #
+#    it under the terms of the GNU General Public License as published by    #
+#    the Free Software Foundation, either version 3 of the License, or       #
+#    (at your option) any later version.                                     #
+#                                                                            #
+#    This program is distributed in the hope that it will be useful,         #
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of          #
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
+#    GNU General Public License for more details.                            #
+#                                                                            #
+#    You should have received a copy of the GNU General Public License       #
+#    along with this program.  If not, see <https://www.gnu.org/licenses/>.  #
+#                                                                            #
+# ========================================================================== #
+
+
+from passlib.context import CryptContext
+from passlib.apache import HtpasswdFile as _ApacheHtpasswdFile
+from passlib.apache import htpasswd_context as _apache_htpasswd_ctx
+
+
+# =====
+_SHA512 = "ldap_salted_sha512"
+_SHA256 = "ldap_salted_sha256"
+
+
+def _make_kvmd_htpasswd_context() -> CryptContext:
+    schemes = list(_apache_htpasswd_ctx.schemes())
+    for alg in [_SHA256, _SHA512]:
+        if alg in schemes:
+            schemes.remove(alg)
+        schemes.insert(0, alg)
+    assert schemes[0] == _SHA512
+    return CryptContext(
+        schemes=schemes,
+        default=_SHA512,
+        bcrypt__ident="2y",  # See note in the passlib.apache
+    )
+
+
+_kvmd_htpasswd_ctx = _make_kvmd_htpasswd_context()
+
+
+# =====
+class KvmdHtpasswdFile(_ApacheHtpasswdFile):
+    def __init__(self, path: str, new: bool=False) -> None:
+        super().__init__(
+            path=path,
+            default_scheme=_SHA512,
+            context=_kvmd_htpasswd_ctx,
+            new=new,
+        )
--- a/kvmd/plugins/auth/htpasswd.py
+++ b/kvmd/plugins/auth/htpasswd.py
@@ -20,12 +20,12 @@
 # ========================================================================== #


-import passlib.apache
-
 from ...yamlconf import Option

 from ...validators.os import valid_abs_file

+from ...crypto import KvmdHtpasswdFile
+
 from . import BaseAuthService


@@ -43,5 +43,5 @@ class Plugin(BaseAuthService):
    async def authorize(self, user: str, passwd: str) -> bool:
        assert user == user.strip()
        assert user
-        htpasswd = passlib.apache.HtpasswdFile(self.__path)
+        htpasswd = KvmdHtpasswdFile(self.__path)
        return htpasswd.check_password(user, passwd)