From e14d6ab791d308db4a54eb51474ae420636665d0 Mon Sep 17 00:00:00 2001 From: Lennart Jern Date: Fri, 11 Sep 2020 13:32:00 +0300 Subject: [PATCH] Document bcrypt encryption for htpasswd Remove mention of (insecure) SHA option for encryption. --- CHANGELOG.md | 2 ++ contrib/oauth2-proxy.cfg.example | 2 +- docs/configuration/configuration.md | 2 +- pkg/apis/options/options.go | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f3b76f1..783c6dc7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ ## Changes since v6.1.1 +- [#764](https://github.com/oauth2-proxy/oauth2-proxy/pull/764) Document bcrypt encryption for htpasswd (and hide SHA) (@lentzi90) + # v6.1.1 ## Release Highlights diff --git a/contrib/oauth2-proxy.cfg.example b/contrib/oauth2-proxy.cfg.example index 5dd93fef..f003a054 100644 --- a/contrib/oauth2-proxy.cfg.example +++ b/contrib/oauth2-proxy.cfg.example @@ -59,7 +59,7 @@ # authenticated_emails_file = "" ## Htpasswd File (optional) -## Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption +## Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption ## enabling exposes a username/login signin form # htpasswd_file = "" diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index d51699f5..10e0afcc 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -62,7 +62,7 @@ An example [oauth2-proxy.cfg]({{ site.gitweb }}/contrib/oauth2-proxy.cfg.example | `--google-admin-email` | string | the google admin to impersonate for api calls | | | `--google-group` | string | restrict logins to members of this google group (may be given multiple times). | | | `--google-service-account-json` | string | the path to the service account json credentials | | -| `--htpasswd-file` | string | additionally authenticate against a htpasswd file. Entries must be created with `htpasswd -s` for SHA encryption | | +| `--htpasswd-file` | string | additionally authenticate against a htpasswd file. Entries must be created with `htpasswd -B` for bcrypt encryption | | | `--http-address` | string | `[http://]:` or `unix://` to listen on for HTTP clients | `"127.0.0.1:4180"` | | `--https-address` | string | `:` to listen on for HTTPS clients | `":443"` | | `--logging-compress` | bool | Should rotated log files be compressed using gzip | false | diff --git a/pkg/apis/options/options.go b/pkg/apis/options/options.go index 3ec1baaa..b723b60b 100644 --- a/pkg/apis/options/options.go +++ b/pkg/apis/options/options.go @@ -219,7 +219,7 @@ func NewFlagSet() *pflag.FlagSet { flagSet.String("client-secret", "", "the OAuth Client Secret") flagSet.String("client-secret-file", "", "the file with OAuth Client Secret") flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)") - flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption or \"htpasswd -B\" for bcrypt encryption") + flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -B\" for bcrypt encryption") flagSet.Bool("display-htpasswd-form", true, "display username / password login form if an htpasswd file is provided") flagSet.String("custom-templates-dir", "", "path to custom html templates") flagSet.String("banner", "", "custom banner string. Use \"-\" to disable default banner.")