You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Darren Shepherd <da...@gmail.com> on 2013/09/12 18:56:13 UTC
plain text authenticator
So if you set your password as blah and it gets hashed to xyz and stored
in the users table. Because of the plain text authenticator, you can
use that hashed value as your password now. So specifically the below
will work.
http://localhost:8080/client/api?command=login&username=user&password=blah
http://localhost:8080/client/api?command=login&username=user&password=xyz
This seems bad. Go and try it yourself (just be careful about URL
encoding, + should be %2b). So because of the existence of the plain
text authenticator, passwords are still plain text but they just happen
to be long random strings. Typically in an auth system you store the
hashing type with the hashed value. So then the plain text
authenticator would not even attempt to compare values because it would
see the value was hashed by a different authenticator.
Darren
RE: plain text authenticator
Posted by Rajesh Battala <ra...@citrix.com>.
It's not a good idea to iterate on all authenticators, if the real authenticator fails for some reason( if it's not able to handle some exception properly) it will continue on invalid authenticators and may result in wrong value/result.
Thanks
Rajesh Battala
-----Original Message-----
From: Ian Duffy [mailto:ian@ianduffy.ie]
Sent: Friday, September 13, 2013 2:52 AM
To: CloudStack Dev
Subject: Re: plain text authenticator
> Don't authenticators work as plugins in cloudstack with plain text
authenticator as default? I think we should leave it for the customer to decide whether he wants to disable or keep the authenticator
Couldn't agree more with this! Going through each authenticator until a successful result is found is horrible!
On 12 September 2013 19:09, Frank Zhang <Fr...@citrix.com> wrote:
> Are all authentication plugins loaded by default and working in an
> authentication chain?
> Otherwise why should we keep the hash type in DB?
>
> > -----Original Message-----
> > From: Darren Shepherd [mailto:darren.s.shepherd@gmail.com]
> > Sent: Thursday, September 12, 2013 9:56 AM
> > To: dev@cloudstack.apache.org
> > Subject: plain text authenticator
> >
> > So if you set your password as blah and it gets hashed to xyz and
> > stored
> in the
> > users table. Because of the plain text authenticator, you can use
> > that
> hashed
> > value as your password now. So specifically the below will work.
> >
> > http://localhost:8080/client/api?command=login&username=user&passwor
> > d=b
> > lah
> >
> > http://localhost:8080/client/api?command=login&username=user&passwor
> > d=x
> > yz
> >
> > This seems bad. Go and try it yourself (just be careful about URL
> encoding, +
> > should be %2b). So because of the existence of the plain text
> authenticator,
> > passwords are still plain text but they just happen to be long
> > random
> strings.
> > Typically in an auth system you store the hashing type with the
> > hashed
> value.
> > So then the plain text authenticator would not even attempt to
> > compare
> values
> > because it would see the value was hashed by a different authenticator.
> >
> > Darren
>
Re: plain text authenticator
Posted by Ian Duffy <ia...@ianduffy.ie>.
> Don't authenticators work as plugins in cloudstack with plain text
authenticator as default? I think we should leave it for the customer to
decide whether he wants to disable or keep the authenticator
Couldn't agree more with this! Going through each authenticator until a
successful result is found is horrible!
On 12 September 2013 19:09, Frank Zhang <Fr...@citrix.com> wrote:
> Are all authentication plugins loaded by default and working in an
> authentication chain?
> Otherwise why should we keep the hash type in DB?
>
> > -----Original Message-----
> > From: Darren Shepherd [mailto:darren.s.shepherd@gmail.com]
> > Sent: Thursday, September 12, 2013 9:56 AM
> > To: dev@cloudstack.apache.org
> > Subject: plain text authenticator
> >
> > So if you set your password as blah and it gets hashed to xyz and stored
> in the
> > users table. Because of the plain text authenticator, you can use that
> hashed
> > value as your password now. So specifically the below will work.
> >
> > http://localhost:8080/client/api?command=login&username=user&password=b
> > lah
> >
> > http://localhost:8080/client/api?command=login&username=user&password=x
> > yz
> >
> > This seems bad. Go and try it yourself (just be careful about URL
> encoding, +
> > should be %2b). So because of the existence of the plain text
> authenticator,
> > passwords are still plain text but they just happen to be long random
> strings.
> > Typically in an auth system you store the hashing type with the hashed
> value.
> > So then the plain text authenticator would not even attempt to compare
> values
> > because it would see the value was hashed by a different authenticator.
> >
> > Darren
>
RE: plain text authenticator
Posted by Frank Zhang <Fr...@citrix.com>.
Are all authentication plugins loaded by default and working in an authentication chain?
Otherwise why should we keep the hash type in DB?
> -----Original Message-----
> From: Darren Shepherd [mailto:darren.s.shepherd@gmail.com]
> Sent: Thursday, September 12, 2013 9:56 AM
> To: dev@cloudstack.apache.org
> Subject: plain text authenticator
>
> So if you set your password as blah and it gets hashed to xyz and stored in the
> users table. Because of the plain text authenticator, you can use that hashed
> value as your password now. So specifically the below will work.
>
> http://localhost:8080/client/api?command=login&username=user&password=b
> lah
>
> http://localhost:8080/client/api?command=login&username=user&password=x
> yz
>
> This seems bad. Go and try it yourself (just be careful about URL encoding, +
> should be %2b). So because of the existence of the plain text authenticator,
> passwords are still plain text but they just happen to be long random strings.
> Typically in an auth system you store the hashing type with the hashed value.
> So then the plain text authenticator would not even attempt to compare values
> because it would see the value was hashed by a different authenticator.
>
> Darren
Re: plain text authenticator
Posted by Alena Prokharchyk <Al...@citrix.com>.
Don't authenticators work as plugins in cloudstack with plain text
authenticator as default? I think we should leave it for the customer to
decide whether he wants to disable or keep the authenticator. If he
decided to get rid of it, then steps mentioned by Vijay should be executed
(update existing users passwords with UpdateUserCmd, change config file to
remove the plain text authenticator)
-alena.
On 9/12/13 10:37 AM, "Vijayendra Bhamidipati"
<vi...@citrix.com> wrote:
>Good catch Darren - the plain text authenticator was only preserved to
>support older clients that still hashed their passwords to md5. Indeed,
>storing the hash type would be required so only the appropriate
>authenticator would be invoked. However, we need to ensure that upgrades
>are correctly handled, since in older installations, we need to know which
>users used what encoding type. After that, the plain text authenticator
>should be disabled/removed.
>
>For the immediate future, we should disable the plain text authenticator
>by default and rel-note it to say that it should be used only if older
>clients still exist and need it - and that these clients should first
>change their users' passwords via updateUserCmd so the new passwords get
>SHA encoded, and then the clients must be changed asap to use plain text
>passwords.
>
>Regards,
>Vijay
>
>On 9/12/13 9:56 AM, "Darren Shepherd" <da...@gmail.com> wrote:
>
>>So if you set your password as blah and it gets hashed to xyz and stored
>>in the users table. Because of the plain text authenticator, you can
>>use that hashed value as your password now. So specifically the below
>>will work.
>>
>>http://localhost:8080/client/api?command=login&username=user&password=bla
>>h
>>
>>http://localhost:8080/client/api?command=login&username=user&password=xyz
>>
>>This seems bad. Go and try it yourself (just be careful about URL
>>encoding, + should be %2b). So because of the existence of the plain
>>text authenticator, passwords are still plain text but they just happen
>>to be long random strings. Typically in an auth system you store the
>>hashing type with the hashed value. So then the plain text
>>authenticator would not even attempt to compare values because it would
>>see the value was hashed by a different authenticator.
>>
>>Darren
>
>
Re: plain text authenticator
Posted by Vijayendra Bhamidipati <vi...@citrix.com>.
Good catch Darren - the plain text authenticator was only preserved to
support older clients that still hashed their passwords to md5. Indeed,
storing the hash type would be required so only the appropriate
authenticator would be invoked. However, we need to ensure that upgrades
are correctly handled, since in older installations, we need to know which
users used what encoding type. After that, the plain text authenticator
should be disabled/removed.
For the immediate future, we should disable the plain text authenticator
by default and rel-note it to say that it should be used only if older
clients still exist and need it - and that these clients should first
change their users' passwords via updateUserCmd so the new passwords get
SHA encoded, and then the clients must be changed asap to use plain text
passwords.
Regards,
Vijay
On 9/12/13 9:56 AM, "Darren Shepherd" <da...@gmail.com> wrote:
>So if you set your password as blah and it gets hashed to xyz and stored
>in the users table. Because of the plain text authenticator, you can
>use that hashed value as your password now. So specifically the below
>will work.
>
>http://localhost:8080/client/api?command=login&username=user&password=blah
>
>http://localhost:8080/client/api?command=login&username=user&password=xyz
>
>This seems bad. Go and try it yourself (just be careful about URL
>encoding, + should be %2b). So because of the existence of the plain
>text authenticator, passwords are still plain text but they just happen
>to be long random strings. Typically in an auth system you store the
>hashing type with the hashed value. So then the plain text
>authenticator would not even attempt to compare values because it would
>see the value was hashed by a different authenticator.
>
>Darren