bin/59181: bozo httpd(8) .htpasswd generation with pwhash(1) broken

[martin%NetBSD.org@localhost]

>Number:         59181
>Category:       bin
>Synopsis:       bozo httpd(8) .htpasswd generation with pwhash(1) broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Mar 16 15:20:00 +0000 2025
>Originator:     Martin Husemann
>Release:        NetBSD 10.1_STABLE
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD plug.duskware.de 10.1_STABLE NetBSD 10.1_STABLE (GENERIC64) #52: Tue Jan 14 13:49:27 CET 2025 martin%seven-days-to-the-wolves.aprisoft.de@localhost:/work/src-10/sys/arch/evbarm/compile/GENERIC64 evbarm
Architecture: aarch64
Machine: evbarm
>Description:

The httpd(8) man page says under HTTP BASIC AUTHORIZATION:
     On NetBSD, the pwhash(1) utility may be used to generate hashed
     passwords.

(side note: this could be slightly more verbose and give a concrete example).

This does not work any more on default installations with argon2 passwords,
which don't seem to work for httpd(8), and there seems to be no option to
pwhash to override /etc/passwd.conf and force generation of sha1 password hashes.


>How-To-Repeat:

Create a new .httpasswd protected resource on NetBSD 10.x or current and try
to access it.

cd ${somwhere-in-your-httpd-root}
echo -n "test:" > .htpasswd
pwhash >> .htpasswd
[enter password, \n and ^d]
cat .htpasswd
test:$argon2id$v=19$m=8192,t=9,p=1$pOc6UE6p......

try to access . via httpd(8) using "test" and the entered password as credentials.


>Fix:
workaround: use pwhash(1) on an older NetBSD system :-)
.httpasswd from above example will look like
test:$sha1$19808$nxOu........