So, there we are: #swad has its second credentials checker module, using #password #files, partially #apache #htpasswd compatible (only #bcrypt, using #OpenBSD's code). 🥳

https://github.com/Zirias/swad/commit/385bc5286c607c7220067844c37bc5eb6cb6c18c

#C #coding

I need some advise: Is there a good portable and free (really free, not GPL!) #implementation of #bcrypt in #C around?

There's #OpenBSD source I could use, but integrating that would probably be quite a hassle...

Background: I want to start creating a second credential checker for #swad using files. And it probably makes sense to support a sane subset of #Apache's #htpasswd format here. Looking at the docs:
https://httpd.apache.org/docs/current/misc/password_encryptions.html
... the "sane subset" seems to be just bcrypt. *MAYBE* also this apache-specific flavor of "iterated" MD5, although that sounds a bit fishy ...

The open-source security / authentication stacks are great at the core of what they do.

... I still want to grab some of the devs who maintain them and shake 'em by the lapels for having really bad DevEx opinions.

Burned two hours this week failing to get basic auth working on a Docker registry instance because I wasn't properly binding the htpasswd file I set up. Time would have been cut in half if the log entry was "user not in the password file" instead of a generic "authentication failed." I'm sure someone was like "hurr durr you can't put that much detail in the logs, attackers could steal the logs and have so much info." Look... Fuck you, my (imaginary) guy, no attackers are gonna steal the logs because the service won't exist because I don't have enough debug info to stand it up in the first place.

#docker #auth #htpasswd #openssl

Bei Kommandos, die ich nur ab und an verwende, bin ich mir selten ganz sicher. Zwei davon erläutere ich in diesem Eintrag um sie mir besser merken zu können.

https://depone.net/2019/10/11/merkzettel-fuer-die-kommandozeile/