github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #2747] [Feature Request] Allow storing passwords hashed in config files #2194

New issue
Open
opened 2026-05-05 13:24:43 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 13:24:43 -06:00
Owner
Copy link

Originally created by @nonnorm on GitHub (Jan 10, 2022).
Original GitHub issue: https://github.com/fatedier/frp/issues/2747

Describe the feature request

Currently, the passwords for the admin dashboard and basic authentication are stored in plaintext in the config files. This means that anyone with access to them could get the password. If they were hashed, then even if someone had the password, they wouldn't be able to log in.

Describe alternatives you've considered

Keeping passwords plaintext but only allowing root user to access them, though this could easily be undone.

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
Originally created by @nonnorm on GitHub (Jan 10, 2022). Original GitHub issue: https://github.com/fatedier/frp/issues/2747 ### Describe the feature request Currently, the passwords for the admin dashboard and basic authentication are stored in plaintext in the config files. This means that anyone with access to them could get the password. If they were hashed, then even if someone had the password, they wouldn't be able to log in. ### Describe alternatives you've considered Keeping passwords plaintext but only allowing root user to access them, though this could easily be undone. ### Affected area - [x] Docs - [ ] Installation - [ ] Performance and Scalability - [X] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others
gitea-mirror added the
todo
 label 2026-05-05 13:24:43 -06:00
gitea-mirror commented 2026-05-05 13:24:44 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Jan 10, 2022):

I have a few questions:

  1. Which hash algorithm should we used.
  2. How to config this feature and keep it compatible.
<!-- gh-comment-id:1008913695 --> @fatedier commented on GitHub (Jan 10, 2022): I have a few questions: 1. Which hash algorithm should we used. 2. How to config this feature and keep it compatible.
gitea-mirror commented 2026-05-05 13:24:46 -06:00
Author
Owner
Copy link

@nonnorm commented on GitHub (Jan 10, 2022):

  1. The PR currently uses bcrypt, because it is a dedicated password hashing algorithm and it is clear that it's a hash (begins with $2y$ or $2a$). It could, however, use SHA512 or a similar algorithm, though it would require a different setting to show that it's a hash.
  2. Currently it just reads the first 4 characters of the password, and if it begins with $2y$ or $2a$, it treats it as a hash. This would, however, break any passwords that happen to begin with those. It would probably be better to have a dedicated hash setting to tell if it's a hash or not.
<!-- gh-comment-id:1008935012 --> @nonnorm commented on GitHub (Jan 10, 2022): 1. The PR currently uses bcrypt, because it is a dedicated password hashing algorithm and it is clear that it's a hash (begins with `$2y$` or `$2a$`). It could, however, use SHA512 or a similar algorithm, though it would require a different setting to show that it's a hash. 2. Currently it just reads the first 4 characters of the password, and if it begins with `$2y$` or `$2a$`, it treats it as a hash. This would, however, break any passwords that happen to begin with those. It would probably be better to have a dedicated `hash` setting to tell if it's a hash or not.
gitea-mirror commented 2026-05-05 13:24:47 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Jan 10, 2022):

Can users easily compute the hashed value using bcrypt? Are there any command line tools or other web tools?

I think it's tricky to use $2y$ prefix to detect the algorithm. Can we add new configure like password_hash_algorithm default to none and bcrypt or sha512 or others is optional.

<!-- gh-comment-id:1008950564 --> @fatedier commented on GitHub (Jan 10, 2022): Can users easily compute the hashed value using bcrypt? Are there any command line tools or other web tools? I think it's tricky to use `$2y$` prefix to detect the algorithm. Can we add new configure like `password_hash_algorithm` default to none and `bcrypt` or `sha512` or others is optional.
gitea-mirror commented 2026-05-05 13:24:48 -06:00
Author
Owner
Copy link

@nonnorm commented on GitHub (Jan 10, 2022):

To compute it you can use the htpassword command from apache-utils, though it's not installed on most systems by default:

htpasswd -bnBC 10 "" password | tr -d ':\n'

I'll add a setting to the config file to tell if it's a hash or not.

<!-- gh-comment-id:1008954365 --> @nonnorm commented on GitHub (Jan 10, 2022): To compute it you can use the `htpassword` command from `apache-utils`, though it's not installed on most systems by default: ``` htpasswd -bnBC 10 "" password | tr -d ':\n' ``` I'll add a setting to the config file to tell if it's a hash or not.
gitea-mirror commented 2026-05-05 13:24:49 -06:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Apr 15, 2022):

Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

<!-- gh-comment-id:1099742270 --> @github-actions[bot] commented on GitHub (Apr 15, 2022): Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.
gitea-mirror commented 2026-05-05 13:24:50 -06:00
Author
Owner
Copy link

@nonnorm commented on GitHub (Apr 15, 2022):

bump

<!-- gh-comment-id:1099742661 --> @nonnorm commented on GitHub (Apr 15, 2022): bump
gitea-mirror commented 2026-05-05 13:24:51 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Jun 30, 2023):

When we switch our configuration file to yaml or json, we can use more structured configuration to describe this functionality.

Example:

httpUser: abc
httpPassword:
  value: abcd
  hashAlgorithm: sha512
<!-- gh-comment-id:1614285553 --> @fatedier commented on GitHub (Jun 30, 2023): When we switch our configuration file to yaml or json, we can use more structured configuration to describe this functionality. Example: ```yaml httpUser: abc httpPassword: value: abcd hashAlgorithm: sha512 ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#2194
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?