Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Use of debian as base image disallows use of bcrypt for password hashes #29
Please see docker/distribution#655 for details, but the use of bcrypt with htpasswd results in the following errors:
Hunting this down shows this is dependent on the version of gcc shipped with debian. An inspection of ubuntu's crypt manpage shows it has support, although this is untested.
Either the base image needs to updated to support the modern password hashing scheme or libc needs to be recompiled for the base image.
This was referenced
Jul 2, 2015
And that being said, I do not really see a point of moving nginx docker image to a different base OS, considering two facts:
@thresheek Debating whether SHA-2 or bcrypt is better is beside the point. In fact, there isn't enough information to come to a proper decision. We can leave that to cryptographers. The issue is that the decision has already been made for something that is not 100% certain.
If you read SHA512-crypt as default, they have made the decision for the user, rather than providing choices. Users should not have decisions made about their security-level based on the side-effect choice that the base operating system for a docker container chose not to include bcrypt in the libc implementation.
This may be considered an nginx-level bug, since delegating the OS wrecks configuration portability.