[
https://issues.apache.org/jira/browse/CLOUDSTACK-1734?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13607931#comment-13607931
]
Venkata Siva Vijayendra Bhamidipati commented on CLOUDSTACK-1734:
-----------------------------------------------------------------
SHA256SALT will be made the default encoding algorithm to encode passwords when
creating/updating users, since it is more secure compared to MD5 hashing. The
fix will introduce a new configurable list called UserPasswordEncoders to allow
admins to separately configure the order of preference for encoding and
authentication schemes. Also, since passwords are now sent by clients as clear
text, we'll also fix the Plain text authenticator to check against the plain
text password passed in to it, using a simple string compare, rather than its
md5 digest.
To change the order of the schemes, the admin can modify the following list
properties in client/tomcatconf/nonossComponentContext.xml.in or
client/tomcatconf/componentContext.xml.in as applicable, to the desired order:
<property name="UserAuthenticators">
<list>
<ref bean="SHA256SaltedUserAuthenticator"/>
<ref bean="MD5UserAuthenticator"/>
<ref bean="LDAPUserAuthenticator"/>
<ref bean="PlainTextUserAuthenticator"/>
</list>
</property>
<property name="UserPasswordEncoders">
<list>
<ref bean="SHA256SaltedUserAuthenticator"/>
<ref bean="MD5UserAuthenticator"/>
<ref bean="LDAPUserAuthenticator"/>
<ref bean="PlainTextUserAuthenticator"/>
</list>
Thus, when a user is created, the encoding of the password will be attempted in
the order determined by UserPasswordEncoders, and the first to succeed will be
used. In the above default ordering, SHA256Salt is tried first. If the module
is found and encoding returns a valid value, the encoded password will be
stored in the user table's password column. If it fails for any reason, the
MD5UserAuthenticator will be tried next, and so on.
When a user needs to be authenticated, the order in which the authenticators
are invoked is determined by UserAuthenticators. In the above default ordering,
SHA256Salt authentication is tried first. If it succeeds, the user is logged
into the mgmt server. If it fails, MD5 is tried next, and so on until any of
them succeeds and the user logs in or all of them fail and the user is returned
an invalid username/password message.
> Make SHA1 default password encoding mechanism
> ---------------------------------------------
>
> Key: CLOUDSTACK-1734
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1734
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Management Server
> Affects Versions: 4.1.0
> Environment: Cloudstack generic
> Reporter: Venkata Siva Vijayendra Bhamidipati
> Assignee: Venkata Siva Vijayendra Bhamidipati
> Fix For: 4.1.0
>
>
> Currently MD5 is the default password encoding mechanism during user creation
> and updation. Make SHA1 the default, using the recently added
> SHA256SALTUserAuthenticator.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
