x/crypto: add crypt(3) password hash algorithms #14274
Comments
ianlancetaylor
changed the title
|
Seems reasonable to me, but CC @agl. |
rsc
changed the title
|
Ping @agl , does this sound like something you'd accept if I send patches? |
|
Ping. |
|
With suitable documentation as you mentioned, this sounds reasonable. Feel free to send a CL. If if it turns out @agl later objects passionately, you can put it under go4.org if you want to give it a non-github import path. |
|
@danderson Any progress on this? I'm currently using a libpam wrapper but would much prefer a native implementation. |
|
Note that in the meantime, https://github.com/GehirnInc/crypt has appeared. |
|
There’s another copy of what seems to be largely the same code at https://github.com/tredoe/osutil/tree/master/user/crypt and https://github.com/ncw/pwhash. I’d say it makes sense to provide a canonical implementation in x/crypto :) |
|
I would like to see this added as well. I'm working on a libnss passwd/group/shadow module that stores users in etcd. Being able to build the hash withouth using a non-standard library or manually writing my own tool kit would be stellar. |
FiloSottile
added
the
Proposal-Crypto
|
I can give this a stab. I've got some related FRs (e.g. abbot/go-http-auth#75, abbot/go-http-auth#48) and want to move the crypto-related code out of that package. And since there is already some requests to support other crypt(3) algorithms here, I'm happy to add this support. |
rsc
changed the title
This comment was marked as duplicate.
This comment was marked as duplicate.
I'm writing code that has to generate crypt(3) compatible password hashes, for installation in /etc/shadow. A Google search for a library currently offers two abandoned github repositories, at least one of which is unsafe (ignores returned errors in the crypto logic), and a stack overflow answer that uses cgo to wrap libcrypt.
I'd like to propose adding solid Go implementations of the more common crypt(3) algorithms to x/crypto. Specifically, I'd like to have support for the${1,5,6}$ algorithms (resp. MD5, SHA256, SHA512), as well as the older DES-based algorithm for universality. The package documentation should include a recommendation against using the crypt(3) algorithms unless compatibility with crypt(3)-using code is necessary, since there exist much better KDFs already in x/crypto if you're working with a clean slate.
If this sounds reasonable, I'm volunteering to provide the implementation.
The text was updated successfully, but these errors were encountered: