While I am very glad to see RT upgrade to blowfish/bcrypt password encryption with RT4 it has created a problem for sites which synchronize passwords. Some systems (even modern Red Hat/CentOS) have no bcrypt support in glibc.
I haven’t looked in depth, but it appears from the patches that bcrypt is hardcoded. Would BP accept a patch which enables a configuration parameter to select the crypt method?
Jo Rhett
+1 (415) 999-1798
Skype: jorhett
Net Consonance : net philanthropy to improve open source and internet projects.
While I am very glad to see RT upgrade to blowfish/bcrypt password
encryption with RT4 it has created a problem for sites which
synchronize passwords. Some systems (even modern Red Hat/CentOS) have
no bcrypt support in glibc.
I haven�t looked in depth, but it appears from the patches that
bcrypt is hardcoded. Would BP accept a patch which enables a
configuration parameter to select the crypt method?
I don’t think we’d take a general patch to do so, no – though patching
it locally shouldn’t be too difficult.
Note, however, that RT 3 used an unsalted MD5 (which is totally
insecure), or (after RT 3.8.9) a truncated SHA-256 of a salted MD5 of
the password – which certainly wasn’t portable. You have to go back to
RT 2.0 to get a password hash in the database that is perhaps portable,
which is the not-terribly-secure crypt(). As such, any solution which
synchronized passwords with RT previously must have had custom code; one
can presumably use a user-space implementation of bcrypt there.