plain text authenticator

[Darren Shepherd <da...@gmail.com>]

So if you set your password as blah and it gets hashed to xyz and stored 
in the users table.  Because of the plain text authenticator, you can 
use that hashed value as your password now.  So specifically the below 
will work.

http://localhost:8080/client/api?command=login&username=user&password=blah

http://localhost:8080/client/api?command=login&username=user&password=xyz

This seems bad.  Go and try it yourself (just be careful about URL 
encoding,  + should be %2b).  So because of the existence of the plain 
text authenticator, passwords are still plain text but they just happen 
to be long random strings.  Typically in an auth system you store the 
hashing type with the hashed value.  So then the plain text 
authenticator would not even attempt to compare values because it would 
see the value was hashed by a different authenticator.

Darren

RE: plain text authenticator

[Rajesh Battala <ra...@citrix.com>]

It's not a good idea to iterate on all authenticators, if the real authenticator fails for some reason( if it's not able to handle some exception properly) it will continue on invalid authenticators and may result in wrong value/result.

Thanks
Rajesh Battala
-----Original Message-----	
From: Ian Duffy [mailto:ian@ianduffy.ie] 
Sent: Friday, September 13, 2013 2:52 AM
To: CloudStack Dev
Subject: Re: plain text authenticator

> Don't authenticators work as plugins in cloudstack with plain text
authenticator as default? I think we should leave it for the customer to decide whether he wants to disable or keep the authenticator

Couldn't agree more with this! Going through each authenticator until a successful result is found is horrible!


On 12 September 2013 19:09, Frank Zhang <Fr...@citrix.com> wrote:

> Are all authentication plugins loaded by default and working in an 
> authentication chain?
> Otherwise why should we keep the hash type in DB?
>
> > -----Original Message-----
> > From: Darren Shepherd [mailto:darren.s.shepherd@gmail.com]
> > Sent: Thursday, September 12, 2013 9:56 AM
> > To: dev@cloudstack.apache.org
> > Subject: plain text authenticator
> >
> > So if you set your password as blah and it gets hashed to xyz and 
> > stored
> in the
> > users table.  Because of the plain text authenticator, you can use 
> > that
> hashed
> > value as your password now.  So specifically the below will work.
> >
> > http://localhost:8080/client/api?command=login&username=user&passwor
> > d=b
> > lah
> >
> > http://localhost:8080/client/api?command=login&username=user&passwor
> > d=x
> > yz
> >
> > This seems bad.  Go and try it yourself (just be careful about URL
> encoding,  +
> > should be %2b).  So because of the existence of the plain text
> authenticator,
> > passwords are still plain text but they just happen to be long 
> > random
> strings.
> > Typically in an auth system you store the hashing type with the 
> > hashed
> value.
> > So then the plain text authenticator would not even attempt to 
> > compare
> values
> > because it would see the value was hashed by a different authenticator.
> >
> > Darren
>

Re: plain text authenticator

[Ian Duffy <ia...@ianduffy.ie>]

> Don't authenticators work as plugins in cloudstack with plain text
authenticator as default? I think we should leave it for the customer to
decide whether he wants to disable or keep the authenticator

Couldn't agree more with this! Going through each authenticator until a
successful result is found is horrible!


On 12 September 2013 19:09, Frank Zhang <Fr...@citrix.com> wrote:

> Are all authentication plugins loaded by default and working in an
> authentication chain?
> Otherwise why should we keep the hash type in DB?
>
> > -----Original Message-----
> > From: Darren Shepherd [mailto:darren.s.shepherd@gmail.com]
> > Sent: Thursday, September 12, 2013 9:56 AM
> > To: dev@cloudstack.apache.org
> > Subject: plain text authenticator
> >
> > So if you set your password as blah and it gets hashed to xyz and stored
> in the
> > users table.  Because of the plain text authenticator, you can use that
> hashed
> > value as your password now.  So specifically the below will work.
> >
> > http://localhost:8080/client/api?command=login&username=user&password=b
> > lah
> >
> > http://localhost:8080/client/api?command=login&username=user&password=x
> > yz
> >
> > This seems bad.  Go and try it yourself (just be careful about URL
> encoding,  +
> > should be %2b).  So because of the existence of the plain text
> authenticator,
> > passwords are still plain text but they just happen to be long random
> strings.
> > Typically in an auth system you store the hashing type with the hashed
> value.
> > So then the plain text authenticator would not even attempt to compare
> values
> > because it would see the value was hashed by a different authenticator.
> >
> > Darren
>

RE: plain text authenticator

[Frank Zhang <Fr...@citrix.com>]

Are all authentication plugins loaded by default and working in an authentication chain?
Otherwise why should we keep the hash type in DB?

> -----Original Message-----
> From: Darren Shepherd [mailto:darren.s.shepherd@gmail.com]
> Sent: Thursday, September 12, 2013 9:56 AM
> To: dev@cloudstack.apache.org
> Subject: plain text authenticator
> 
> So if you set your password as blah and it gets hashed to xyz and stored in the
> users table.  Because of the plain text authenticator, you can use that hashed
> value as your password now.  So specifically the below will work.
> 
> http://localhost:8080/client/api?command=login&username=user&password=b
> lah
> 
> http://localhost:8080/client/api?command=login&username=user&password=x
> yz
> 
> This seems bad.  Go and try it yourself (just be careful about URL encoding,  +
> should be %2b).  So because of the existence of the plain text authenticator,
> passwords are still plain text but they just happen to be long random strings.
> Typically in an auth system you store the hashing type with the hashed value.
> So then the plain text authenticator would not even attempt to compare values
> because it would see the value was hashed by a different authenticator.
> 
> Darren

Re: plain text authenticator

[Alena Prokharchyk <Al...@citrix.com>]

Don't authenticators work as plugins in cloudstack with plain text
authenticator as default? I think we should leave it for the customer to
decide whether he wants to disable or keep the authenticator. If he
decided to get rid of it, then steps mentioned by Vijay should be executed
(update existing users passwords with UpdateUserCmd, change config file to
remove the plain text authenticator)

-alena.

On 9/12/13 10:37 AM, "Vijayendra Bhamidipati"
<vi...@citrix.com> wrote:

>Good catch Darren - the plain text authenticator was only preserved to
>support older clients that still hashed their passwords to md5. Indeed,
>storing the hash type would be required so only the appropriate
>authenticator would be invoked. However, we need to ensure that upgrades
>are correctly handled, since in older installations, we need to know which
>users used what encoding type. After that, the plain text authenticator
>should be disabled/removed.
>
>For the immediate future, we should disable the plain text authenticator
>by default and rel-note it to say that it should be used only if older
>clients still exist and need it - and that these clients should first
>change their users' passwords via updateUserCmd so the new passwords get
>SHA encoded, and then the clients must be changed asap to use plain text
>passwords.
>
>Regards,
>Vijay 
>
>On 9/12/13 9:56 AM, "Darren Shepherd" <da...@gmail.com> wrote:
>
>>So if you set your password as blah and it gets hashed to xyz and stored
>>in the users table.  Because of the plain text authenticator, you can
>>use that hashed value as your password now.  So specifically the below
>>will work.
>>
>>http://localhost:8080/client/api?command=login&username=user&password=bla
>>h
>>
>>http://localhost:8080/client/api?command=login&username=user&password=xyz
>>
>>This seems bad.  Go and try it yourself (just be careful about URL
>>encoding,  + should be %2b).  So because of the existence of the plain
>>text authenticator, passwords are still plain text but they just happen
>>to be long random strings.  Typically in an auth system you store the
>>hashing type with the hashed value.  So then the plain text
>>authenticator would not even attempt to compare values because it would
>>see the value was hashed by a different authenticator.
>>
>>Darren
>
>

Re: plain text authenticator

[Vijayendra Bhamidipati <vi...@citrix.com>]

Good catch Darren - the plain text authenticator was only preserved to
support older clients that still hashed their passwords to md5. Indeed,
storing the hash type would be required so only the appropriate
authenticator would be invoked. However, we need to ensure that upgrades
are correctly handled, since in older installations, we need to know which
users used what encoding type. After that, the plain text authenticator
should be disabled/removed.

For the immediate future, we should disable the plain text authenticator
by default and rel-note it to say that it should be used only if older
clients still exist and need it - and that these clients should first
change their users' passwords via updateUserCmd so the new passwords get
SHA encoded, and then the clients must be changed asap to use plain text
passwords.

Regards,
Vijay 

On 9/12/13 9:56 AM, "Darren Shepherd" <da...@gmail.com> wrote:

>So if you set your password as blah and it gets hashed to xyz and stored
>in the users table.  Because of the plain text authenticator, you can
>use that hashed value as your password now.  So specifically the below
>will work.
>
>http://localhost:8080/client/api?command=login&username=user&password=blah
>
>http://localhost:8080/client/api?command=login&username=user&password=xyz
>
>This seems bad.  Go and try it yourself (just be careful about URL
>encoding,  + should be %2b).  So because of the existence of the plain
>text authenticator, passwords are still plain text but they just happen
>to be long random strings.  Typically in an auth system you store the
>hashing type with the hashed value.  So then the plain text
>authenticator would not even attempt to compare values because it would
>see the value was hashed by a different authenticator.
>
>Darren