You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Venkata Siva Vijayendra Bhamidipati <vi...@citrix.com> on 2013/04/01 20:10:48 UTC

Re: Review Request: Make SHA256Salt the default password encoding and authentication mechanism for cloudstack


> On March 29, 2013, 5:22 p.m., Min Chen wrote:
> > api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java, line 66
> > <https://reviews.apache.org/r/10039/diff/1/?file=272336#file272336line66>
> >
> >     If password is default hashed to SHA256SALT, then it should not be clear text password. This description is contradictory to me.

Hi Min, this is the password that needs to be sent in by the client - it will need to be the clear text password itself -  even if plaintext authentication is being used and the password passed in is itself is a hash, technically it would still be a clear text password that matches the password stored in the db. That is what is reflected in the description above.. The sha encoding kicks in only on the server side. If the cleartext is to be protected, SSL via HTTPS would serve that purpose.


> On March 29, 2013, 5:22 p.m., Min Chen wrote:
> > developer/developer-prefill.sql, line 39
> > <https://reviews.apache.org/r/10039/diff/1/?file=272341#file272341line39>
> >
> >     Should this password be encoded using SHA if that is the default way? The pre-filled one is still MD5.

If the admin user is created as enabled, the mgmt server will leave the password as is and not change it. However, if created as disabled, the mgmt server code, when creating the admin user, will replace the password for the admin user as hash("password") where the hash function is the default function configured.


- Venkata Siva Vijayendra


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/10039/#review18519
-----------------------------------------------------------


On March 28, 2013, 8:26 p.m., Venkata Siva Vijayendra Bhamidipati wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/10039/
> -----------------------------------------------------------
> 
> (Updated March 28, 2013, 8:26 p.m.)
> 
> 
> Review request for cloudstack, Hugo Trippaers, Kelven Yang, and Min Chen.
> 
> 
> Description
> -------
> 
> Changing default password encoding mechanism from MD5 to SHA256Salted.
> 
> 
> This addresses bug CS-1734.
> 
> 
> Diffs
> -----
> 
>   api/src/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java 89673ea 
>   api/src/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java fb29e1a 
>   api/src/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java 1f31662 
>   client/tomcatconf/componentContext.xml.in 016df0a 
>   client/tomcatconf/nonossComponentContext.xml.in 8f8dae5 
>   developer/developer-prefill.sql 6300d35 
>   plugins/user-authenticators/ldap/src/com/cloud/server/auth/LDAPUserAuthenticator.java 61eebe5 
>   plugins/user-authenticators/md5/src/com/cloud/server/auth/MD5UserAuthenticator.java 026125e 
>   plugins/user-authenticators/plain-text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java 52e7cb3 
>   plugins/user-authenticators/sha256salted/src/com/cloud/server/auth/SHA256SaltedUserAuthenticator.java 1b29f69 
>   server/src/com/cloud/server/ManagementServerImpl.java b689f93 
>   server/src/com/cloud/user/AccountManagerImpl.java b69f314 
> 
> Diff: https://reviews.apache.org/r/10039/diff/
> 
> 
> Testing
> -------
> 
> Manual testing done for both oss and nonoss components. Both admin and users added later are encoded according to the scheme configured, and authenticated by the same scheme.
> 
> To change the order of the schemes, modify the following list properties in client/tomcatconf/nonossComponentContext.xml.in or client/tomcatconf/componentContext.xml.in as applicable, to the desired order:
> 
>     <property name="UserAuthenticators">
>          <list>
>             <ref bean="SHA256SaltedUserAuthenticator"/>
>             <ref bean="MD5UserAuthenticator"/>
>             <ref bean="LDAPUserAuthenticator"/>
>             <ref bean="PlainTextUserAuthenticator"/>
>         </list>
>     </property>
> 
>     <property name="UserPasswordEncoders">
>         <list>
>             <ref bean="SHA256SaltedUserAuthenticator"/>
>              <ref bean="MD5UserAuthenticator"/>
>              <ref bean="LDAPUserAuthenticator"/>
>             <ref bean="PlainTextUserAuthenticator"/>
>          </list>
> 
> 
> Thanks,
> 
> Venkata Siva Vijayendra Bhamidipati
> 
>