Abe Ratnofsky created CASSANDRA-19817:
-----------------------------------------
Summary: PasswordAuthenticator accepts passwords with matching
prefixes exceeding bcrypt length limit
Key: CASSANDRA-19817
URL: https://issues.apache.org/jira/browse/CASSANDRA-19817
Project: Cassandra
Issue Type: Bug
Components: Messaging/Client
Reporter: Abe Ratnofsky
Cassandra allows roles to be created with passwords longer than the bcrypt
length limit of 72 bytes[1]. All passwords sharing a 72-byte prefix have the
same bcrypt hash, so users can authenticate with passwords that do not exactly
match a role's configured password.
Users expect authentication to only happen when there is an exact match between
a role's configured password and the password provided by an agent
authenticating against that role.
I have a few elements to propose:
1. Cassandra rejects creation of passwords (via CREATE ROLE or ALTER ROLE) that
exceed the 72-byte limit
2. Cassandra logs a server-side warning (not ClientWarn) when a role's password
exceeds the length limit, recommending a password change, with NoSpamLogger
Thanks to Stefan Miklosovic for investigating this with me.
As for proof, here's a failing test:
```
import org.mindrot.jbcrypt.BCrypt;
public class PasswordCollisionTest
{
@Test
public void testLongPassword() throws Exception
{
String longpassword =
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
String salt = BCrypt.gensalt();
String longhashed = BCrypt.hashpw(longpassword, salt);
Assert.assertTrue(BCrypt.checkpw(longpassword, longhashed));
String longerpassword = longpassword + "bbb";
String longerhashed = BCrypt.hashpw(longerpassword, salt);
Assert.assertNotEquals(longerhashed, longhashed);
}
}
```
Here's a similar test as an end-user would experience it, against recent trunk
(fe30e227bdedf13f890e242d2646598398ba8bed):
```
$ ./bin/cqlsh -u cassandra -p cassandra
Connected to Test Cluster at 127.0.0.1:9042
[cqlsh 6.0.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5]
Use HELP for help.
cassandra@cqlsh> CREATE ROLE longpassword WITH PASSWORD =
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
AND LOGIN = true;
cassandra@cqlsh> exit;
$ ./bin/cqlsh -u longpassword -p
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Connected to Test Cluster at 127.0.0.1:9042
[cqlsh 6.0.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5]
Use HELP for help.
longpassword@cqlsh> exit;
$ ./bin/cqlsh -u longpassword -p
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbb
Connected to Test Cluster at 127.0.0.1:9042
[cqlsh 6.0.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5]
Use HELP for help.
longpassword@cqlsh> exit;
```
[1]: [https://en.wikipedia.org/wiki/Bcrypt#Maximum_password_length]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
