New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker registry - basic authentication with htpasswd #655

Closed
plamer opened this Issue Jun 22, 2015 · 21 comments

Comments

Projects
None yet
@plamer
Copy link

plamer commented Jun 22, 2015

Hello there,

I've noticed here https://docs.docker.com/registry/authentication/ that is suggested to use -B (Force bcrypt encryption of the password (very secure)) wth htpasswd when generating the password but it requires bcrypt. So after bringing up the nginx/registry images you get this on the server:

nginx_1    | 2015/06/22 09:00:25 [crit] 5#5: *2 crypt_r() failed (22: Invalid argument)

and this on the client trying to authenticate to the registry:

FATA[0000] Error response from daemon: no successful auth challenge for https://someregistry.something:443/v2/ - errors: [basic auth attempt to https://someregistry.something:443/v2/ realm "registry.localhost" failed with status: 500 Internal Server Error]

After using htpasswd without -B (htpasswd -bc ...) it worked right away.

@hunterchung

This comment has been minimized.

Copy link

hunterchung commented Jun 23, 2015

I got the same error, and your answer saved me. THanks @plamer !

@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jun 25, 2015

@plamer The problem here is with nginx's support for htpasswd file. The use of htpasswd -bc uses the insecure apache md5 algorithm. We recommend that users use bcrypt.

What version of nginx are you using? What operating system are you running ($ uname -a)?

@hunterchung

This comment has been minimized.

Copy link

hunterchung commented Jun 25, 2015

Mine was pulled from docker hub, the latest one, which should be 1.9.2.

@plamer

This comment has been minimized.

Copy link
Author

plamer commented Jun 25, 2015

Hey @stevvooe , I'm using nginx:1.9 and registry:2, followed the docs. Running docker on CentOS 7.

@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jun 26, 2015

Sounds like support for bcrypt is OS dependent. Nginx relies on the libc implementation of crypt (in this case crypt_r). This is going to be dependent on the container's OS where nginx is running, so I am not sure of the cause here. The host OS should not affect this.

Here is another another link describing the issue:

https://answers.launchpad.net/ubuntu/+source/nginx/+question/263001

I am not sure what the resolution here should be. I'd not recommend using an insecure authentication password format. I am assuming this worked for @dmp42 when he wrote the guide.

@nikitamendelbaum

This comment has been minimized.

Copy link

nikitamendelbaum commented Jul 1, 2015

I experience the same issue. I configured everything according to https://docs.docker.com/registry/authentication/ and double-checked everything. Nothing helps with bcrypt except not using it (as suggested in this issue).

@phuihock

This comment has been minimized.

Copy link

phuihock commented Jul 1, 2015

I have the same issue. Further investigation led me to this http://stackoverflow.com/a/30545501/228683
Because nginx:1.9 is based on Debian Jessie, it seems there's no way of getting it to work short of recompiling glibc. I end up using salted sha password.

@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jul 1, 2015

@phuihock @Wombasta @plamer I'd recommend filing an issue over at https://github.com/docker-library/official-images/issues to correct the base image to have proper support for bcrypt. Using a less secure hash is not a good option. If you don't care, use htpasswd without bcrypt. Optionally, just use Apache HTTPD, which supports bcrypt of the box.

I'm not sure if this will help, but we've become tired of dealing with nginx's edge cases for new users, so registry 2.1 will come with htpasswd based basic auth support.

@dmp42 PTAL

@melon

This comment has been minimized.

Copy link

melon commented Jul 2, 2015

same issue!
ubuntu 14.04 nginx 1.9 registry 2

@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jul 2, 2015

@Wombasta Thank your for filing the issue. I've filed the issue over at nginxinc/docker-nginx#29.

@thresheek

This comment has been minimized.

Copy link

thresheek commented Jul 2, 2015

I guess the docs needs to be fixed to use SHA-2.

@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jul 3, 2015

@thresheek I'm going to see if we can track down the source of this problem and get it fixed there. I'd rather not suggest people use an insecure hash or one that is incompatible with the htpasswd support coming in 2.1 (only bcrypt is supported).

If this is unsuccessful, we'll get the docs fixed before 2.1.

@stevvooe stevvooe added this to the Registry/2.1 milestone Jul 3, 2015

@soulcreate

This comment has been minimized.

Copy link

soulcreate commented Jul 14, 2015

some problem for me.

jmitchell added a commit to jmitchell/distribution that referenced this issue Aug 9, 2015

Docs: reference known issue
Potential time-sink for anyone deploying a private docker registry with authentication. See docker#655.

jmitchell added a commit to jmitchell/distribution that referenced this issue Aug 9, 2015

Docs: reference known issue
Potential time-sink for anyone deploying a private docker registry with authentication. See docker#655.

Signed-off-by: Jacob Mitchell <jmitchell@member.fsf.org>
@dmp42

This comment has been minimized.

Copy link
Member

dmp42 commented Aug 10, 2015

We removed bcrypt from the Nginx specific documentation, and also made the native basic auth feature the recommended default (that does support bcrypt).

Documentation has been fixed in #837

@dmp42 dmp42 closed this Aug 10, 2015

@cshimmin

This comment has been minimized.

Copy link

cshimmin commented Sep 26, 2015

Just wanted to chime in and say this is still a time sink. Ran into the exact issue (standard nginx container trying to share htpasswd with registry:2) and it took a long time for me to figure this out.

The only docs I encountered (namely [1]) simply mention that bcrypt is "recommended" when in fact it is required. The comment in #837 is very indirect and doesn't make the issue clear. Either this requirement should be stated very clearly ("htpasswd must be encrypted with bcrypt"), or even better simply support less secure hashes.

[1] https://docs.docker.com/registry/deploying/

@dmp42

This comment has been minimized.

Copy link
Member

dmp42 commented Sep 28, 2015

@cshimmin https://github.com/docker/distribution/blob/master/docs/nginx.md contains explicit steps for nginx for people who really want nginx.

@burningTyger

This comment has been minimized.

@cdaringe

This comment has been minimized.

Copy link

cdaringe commented Jan 29, 2017

eeek. both links are dead

@stevvooe

This comment has been minimized.

Copy link
Contributor

stevvooe commented Jan 30, 2017

@aikomastboom

This comment has been minimized.

Copy link

aikomastboom commented Feb 16, 2017

workaround: use nginx:alpine image
nginxinc/docker-nginx#29 (comment)

@innocent-wang

This comment has been minimized.

Copy link

innocent-wang commented Dec 24, 2017

-bc solve the problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment