OPNsense Forum

Hey,

I want to use Basic Authentication without storing the credential's passwords in cleartext.
My first shot was to put a valid encrypted string into the password field like:

$apr1$CvlM9gn1$twwsR5.3jglwaFCIv1qKf/

# disclaimer: of course not the used passwort ;-)


but that did not work.

Does it work and I'm just doing something wrong? e.g. using a not supported cipher/hash algorithm

As a possible alternative solution I could use OPNsense integrated accounts using advanced acls. But then I would want to somehow decide WHICH of the local users can access.

Thank you.

Hi

QuoteDoes it work and I'm just doing something wrong? e.g. using a not supported cipher/hash algorithm

I don't think it will work that way at the moment.
the password is hashed at the time the auth_basic_user_file file is generated (meaning you are actually trying to do it twice).
https://github.com/opnsense/plugins/blob/c6e58ee64813bcd51b8f58fed7851d6ccf3d14af/www/nginx/src/opnsense/scripts/nginx/setup.php#L250

Now the development of the plugin seems to have slowed down somewhat.
I hope to get back to this and I hope the maintainer will have time to look at the request (and the already opened one as well).
I would discuss with the maintainer the possibility of storing the hash in the config (instead of plain password)

Quote from: Fright on August 18, 2023, 09:41:52 PM
I would discuss with the maintainer the possibility of storing the hash in the config (instead of plain password)

This would also have been my expectation in the first place. Best solution would be allowing to select the exact type of password (plain, bcrypt, whatsoever) when creating a credential. On submit it could then just use htpasswd to generate all stuff and storing that in config.