HAProxy community

Can't use hash password for user authentication

Hello everyone,

For the past few month, i’ve always wanted to put hashed password inside my haproxy config file to secure out the passwords of my users when someone has to come and modify the config file.

But whenever i tried to hash the password and use it inside the config file, i’m never able to connect after the modification.
I’ve used many hashing method: MD5, SHA1, SHA256 and SHA512 but none of these worked.

There is a sample of a user configured with a hashed SHA512 generated with the following command “echo -n ‘1xgp379n3h1w1eu’ | sha512sum”
In this exemple, i configured a user with the hashed password and one without the hash

user user-hashed password 407f9f104b111708fec38c28aef6dc7e3ee066e6a6e86459352c5556bf3dcb3c7cc9f1cb7fd04df4341b1d3532e5b010ff002479fa781e946717289206835010
user user-insecure insecure-password 1xgp379n3h1w1eu

After restarting my haproxy, i can’t log in with the hashed password user but i’m able to with the insecure password. (They are in the same group and configured in a backend in my confg file)

Is there a specific option while building haproxy from source or is it include from the epel repo ?
I’ve no seen any option about this in the haproxy official documentation and i can’t find any answer on google about this. This is pretty confusing

As per the docs:
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.4-user

Encrypted passwords are evaluated using the crypt(3) function

That’s not a crypt() compatible hash. Use mkpasswd:

$ mkpasswd -m sha-512 1xgp379n3h1w1eu
$6$936EnJ5pRT1nio$eACwG9/ReDOzNlH9c5sh0TP6WZkZLa8oU4J6diNx98K55gRyAZMZD3Cna3G3XfVy60CXsUIqogo6pM4IxmKCc1
$

Please do carefully read the documentation about hashed-passwords and it’s impact on CPU usage. Consider that this has to be hashed for every single transaction. This can kill your load-balancer.

Hey ty for the solution now i get it.
I’ve never seen anywhere that “sha512sum” don’t use the crypt() function.
Just for peoples who wonder, you have to install the package “whois” on Debian 9 which contain the mkpasswd command.

sha512sum will generate a sha512 hash, and nothing more. Crypt() adds salt as well as an identifier for the hash, see man 3 crypt for more. It could even add a rounds specifier.