[
https://issues.apache.org/jira/browse/CASSANDRA-19817?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Abe Ratnofsky updated CASSANDRA-19817:
--------------------------------------
Impacts: (was: None)
> PasswordAuthenticator accepts passwords with matching prefixes exceeding
> bcrypt length limit
> --------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-19817
> URL: https://issues.apache.org/jira/browse/CASSANDRA-19817
> Project: Cassandra
> Issue Type: Bug
> Components: Messaging/Client
> Reporter: Abe Ratnofsky
> Priority: Normal
>
> Cassandra allows roles to be created with passwords longer than the bcrypt
> length limit of 72 bytes[1]. All passwords sharing a 72-byte prefix have the
> same bcrypt hash, so users can authenticate with passwords that do not
> exactly match a role's configured password.
>
> Users expect authentication to only happen when there is an exact match
> between a role's configured password and the password provided by an agent
> authenticating against that role.
> I have a few elements to propose:
> 1. Cassandra rejects creation of passwords (via CREATE ROLE or ALTER ROLE)
> that exceed the 72-byte limit
> 2. Cassandra logs a server-side warning (not ClientWarn) when a role's
> password exceeds the length limit, recommending a password change, with
> NoSpamLogger
> Thanks to Stefan Miklosovic for investigating this with me.
> As for proof, here's a failing test:
> ```
> import org.mindrot.jbcrypt.BCrypt;
> public class PasswordCollisionTest
> {
> @Test
> public void testLongPassword() throws Exception
> {
> String longpassword =
> "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
> String salt = BCrypt.gensalt();
> String longhashed = BCrypt.hashpw(longpassword, salt);
> Assert.assertTrue(BCrypt.checkpw(longpassword, longhashed));
> String longerpassword = longpassword + "bbb";
> String longerhashed = BCrypt.hashpw(longerpassword, salt);
> Assert.assertNotEquals(longerhashed, longhashed);
> }
> }
> ```
> Here's a similar test as an end-user would experience it, against recent
> trunk (fe30e227bdedf13f890e242d2646598398ba8bed):
> ```
> $ ./bin/cqlsh -u cassandra -p cassandra
> Connected to Test Cluster at 127.0.0.1:9042
> [cqlsh 6.0.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5]
> Use HELP for help.
> cassandra@cqlsh> CREATE ROLE longpassword WITH PASSWORD =
> 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
> AND LOGIN = true;
> cassandra@cqlsh> exit;
> $ ./bin/cqlsh -u longpassword -p
> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
> Connected to Test Cluster at 127.0.0.1:9042
> [cqlsh 6.0.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5]
> Use HELP for help.
> longpassword@cqlsh> exit;
> $ ./bin/cqlsh -u longpassword -p
> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbb
> Connected to Test Cluster at 127.0.0.1:9042
> [cqlsh 6.0.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5]
> Use HELP for help.
> longpassword@cqlsh> exit;
> ```
> [1]: [https://en.wikipedia.org/wiki/Bcrypt#Maximum_password_length]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
