claudyus
commented
8 years ago Hi @FlorianHeigl thanks for your comment. The htpasswd backend was proposed by @mihu and is now in https://github.com/claudyus/LXC-Web-Panel/blob/master/lwp/authenticators/htpasswd.py
Feel free to propose a PR to improve it.
I don't see any security problem in using crypt to store passwd here. If your lxc host is compromised by an attacker (and he can read the htpasswd file) reverse the encryption to retrieve the lwp password is the less dangerous thing that the attacker can do.
Hi,
in the readme it says:
This backend use the crypt function, here an example where -d force the use of crypt encryption when generating the htpasswd file:Please at least have your documentation not run people right into the most insecure encryption they could use. Maybe rather show how to do it with auth on the frontend webserver if it's too hard to change in lxc?