Basic Auth Password Manager. Manages basic auth password files. This replaces the functionality provided by htpasswd from Apache. It also provides modern hash functions, such as argon2 and pbkdf2_sha512, which are far superior.
- All git tags are signed with arch@sapience.com key which is available via WKD or download from https://www.sapience.com/tech. Add the key to your package builder gpg keyring. The key is included in the Arch package and the source= line with ?signed at the end can be used to verify the git tag. You can also manually verify the signature
Version 3.0.0
- Reduce our reliance on passlib (it is unmaintained).
- passlib bcrypt is broken
- there is a fork which works
- Algo changes no longer using passlib:
- bcrypt now uses python-bcrypt directly
- argon2 now uses python-argon2-cffi (which uses C library)
- pbkdf2_sha512 now uses python-cryptography
- pbkdf2_sha256 now uses python-cryptography
Older
- PEP-8, PEP-257, PEP-484 and PEP 561
- Refactor code
- Add pytests
- add python-bcrypt dependency to Arch PKBUILD
- For simplicity, make argon2 required instead of optional
To add or modify a user and write the resulting password file:
nginx-passwd -f <password_file> <user>If file is not specified, then the result is written to stdout.
The supported algortithms are:
* Modern : argon2, pbkdf2_sha512, pbkdf2_sha256 * Active : sha512, sha256, bcrypt * Deprecated: md5, apr_md5/apr1
and sha256 is the default.
These older and now deprecated algorithms (md5, apr_md5) are still supported but should be replaced by one of the active ones.
Aside, apr_md5 also known as apr1, is the ancient apache variant of md5.
The options are given below and nginx-passwd -h provides a help summary.
Positional Argument:
username
required argument.
(-h, --help)
show help message and exit
(-f, --passwd_file) <password_file>
Write to this Password file
(-a, --algo) <algorithm>
Default is sha256. Can be one of:
* Modern : argon2, pbkdf2_sha512, pbkdf2_sha256 * Active : sha512, sha256, bcrypt * Deprecated: md5, md5_apr1(-p, --passwd) <password>
Password as an option. Without this it will be read from stdin.
(-D, --delete)
Delete this user from the password file.
(-v, --verify)
Checks that the provided password matches that in the password file
- Available on
On Arch you can build using the PKGBUILD provided in packaging directory or from the AUR package. To build manually, clone the repo and do:
rm -f dist/* /usr/bin/python -m build --wheel --no-isolation root_dest="/" ./scripts/do-install $root_dest
When running as non-root then set root_dest a user writable directory
- Run Time :
- python (3.9 or later)
- passlib
NB versions 1.1 and earlier used openssl - all newer version now use python passlib library.
- Building Package:
- git
- hatch (aka python-hatch)
- wheel (aka python-wheel)
- build (aka python-build)
- installer (aka python-installer)
- rsync
- Optional for building docs:
- sphinx
- texlive-latexextra (archlinux packaguing of texlive tools)
We follow the live at head commit philosophy as recommended by Google's Abseil team [1]. This means we recommend using the latest commit on git master branch.
Created by Gene C. It is licensed under the terms of the MIT license.
- SPDX-License-Identifier: MIT
- SPDX-FileCopyrightText: © 2023-present Gene C <arch@sapience.com>
| [1] | https://abseil.io/about/philosophy#upgrade-support |