On Thu, May 16, 2013 at 04:03:14PM +0200, Ove Ewerlid wrote: > I vote -1 for enabling plain text authentication allowing auth > directly against hashes. I'm not clear if this functionality exists > in ACS4.0, I would assume not. > > The API breakage reported was in createUser, where the ability to > pass in a hash has value. Think migration scenarios where only the > hash is known. > > createUser, createAccount and createDomain have, in v41, been > enhanced with parameters to allow specifying the UUID directly to > accommodate for external provisioning (or migration from older > systems). The ability to pass in existing hashes has value in these > scenarios. There is also value in being able to pass in a plain text > password and have it encrypted depending on how the external account > provisioning is done.
Chip, Ove, There's two parts to this process - the auth and the encode. In auth - existing tenants of your system send through their passwd over the wire that is compared with the password in your cloudstack database as follows: Order of authenticators SHA256 > MD5 > PlainText For a moment assume that Alice (existing user) sends only plaintext passwords as she entered in the system when her account was created: Her password in the db is say alicesecretsauce and she passes alicesecretesauce over-the-wire. CloudStack will do the following while authenticating Alice: 1. Is SHA256(alicesecretsauce) == CloudStack_DB(alicesecretesauce) 2. Is MD5(alicesecretsauce) == CloudStack_DB(alicesecretesauce) 3. Is alicesecretsauce == CloudStack_DB(alicesecretesauce) In your case since the DB contains the MD5 of alicesecretsauce against Alice's account the second comparison returns and authenticates Alice successfully after SHA256 fails. Now let's say you upgrade to 4.1 with the same order of authenticators and bug fixed as sent in the patch by Kishan: Let's look at Alice's case again: She sends alicesecretsauce over-the-wire - and the same process works out for her and she is able to login. Now let's say Bob is a new account that is created in your system post-upgrade to 4.1: When Bob creates his account, his password is encoded using the SHA256 scheme since that's the first one in the configured list. So all new accounts now have a SHA256 value in the DB against them. When Bob attempts to login the first comparison ie SHA256(bobsecretsauce) == CloudStack_DB(bobsecretsauce) and he too is allowed to login. Coming to your scenario where you want to hash passwords which are coming over-the-wire: The scenario before upgrade should be clear so I won't explain it here. Post-upgrade: Alice sends MD5(alicesecretsauce) as per your provisoner- 1. Is SHA256(MD5(alicesecretsauce)) == CloudStack_DB(alicesecretesauce) 2. Is MD5(MD5(alicesecretsauce)) == CloudStack_DB(alicesecretesauce) 3. Is MD5(alicesecretsauce) == CloudStack_DB(alicesecretesauce) So she is authenticated using the plaintext authenticator now in 3. Without that her auth fails. This is what Kishan is asking that you enable. Bob on the other hand sends in MD5(bobsecretsauce) and his account was saved in the DB when your provisioner created his account with passwd: SHA256(MD5(secretsauce)) thereby for him the 1st authenticator works and helps him login to cloudstack. If I were you - I'd migrate everything with the plaintext authenticator enabled and then switch over to an auth mechanism that suits my security needs and my external provisioner. For those moving from 2.2.x, 3.0.x, 4.0 to 4.1: 1. We remove the incorrect auth mechanism and put in the right fix of encoding at the server and not doing any UI magic. 2. We correct the API docs and other docs to indicate the user to send in plaintext so clients can adjust to the change. 3. We describe this migration situation as Ove encountered and how it can be corrected without any change using the plaintext authenticator. I hope that this is fixed right and at the same time it doesn't break backwards compatibility which is the solution that Kishan is proposing and I'd recommend too. > Seems a new parameter is needed in createUser > to allow both while retaining backwards compat. Perhaps a parameter > specifying the type of hash or if the password is plain text that > needs to be encrypted. If this parameter is not present, the > assumption should be that the password is an MD5 hash, the old > behavior. > > /Ove > > On 05/16/2013 03:23 PM, Kishan Kavala wrote: > > > > > >>-----Original Message----- > >>From: Ove Ewerlid [mailto:ove.ewer...@oracle.com] > >>Sent: Thursday, 16 May 2013 6:25 PM > >>To: dev@cloudstack.apache.org > >>Subject: Re: Review Request: Added PlainTextAuthenticator > >> > >>On 05/16/2013 02:16 PM, Kishan Kavala wrote: > >>>Ove, > >>> Plain text authenticator will allow logging using the hash value. Or > >>> else, > >>clients sending MD5 hash will fail to login. This is primarily for backward > >>compatibility. > >>>To avoid logging in using has value itself, plain text authenticator can be > >>removed from auth adapter list, provided the client sends plain text instead > >>of hash. > >> > >>I'm not seeing the plain-text authenticator in ACS4.0 list of authenticators > >>(components.xml). MD5 and LDAP are listed. Help me out, where in ACS4.0 is > >>the code to allow login using the password hash itself? > >> > >>/Ove > > > > > >I checked 4.0 code. plain-text authenticator is not in components.xml but > >it is part of the code. > > > >plugins/user-authenticators/plain-text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java > > > >It does MD5 has compare instead of plain text (don't know why), so it may > >not serve u'r purpose even after adding it to components.xml > > > >> > >> > >>>~kishan > >>> > >>>>-----Original Message----- > >>>>From: Ove Ewerlid [mailto:ove.ewer...@oracle.com] > >>>>Sent: Thursday, 16 May 2013 5:33 PM > >>>>To: dev@cloudstack.apache.org; Kishan Kavala > >>>>Subject: Re: Review Request: Added PlainTextAuthenticator > >>>> > >>>>Hi Kishan! > >>>> > >>>>Did you verify that adding the plain text authenticator will not > >>>>allow login using the hash value itself? > >>>> > >>>> > >>>>from AccountManagerImpl.java; > >>>> ... getUserAccount ... > >>>> ... > >>>> boolean authenticated = false; > >>>> for(UserAuthenticator authenticator : _userAuthenticators) { > >>>> if (authenticator.authenticate(username, password, > >>>>domainId, requestParameters)) { > >>>> authenticated = true; > >>>> break; > >>>> } > >>>> } > >>>> ... > >>>> > >>>>/Ove > >>>> > >>>>On 05/16/2013 12:39 PM, Kishan Kavala wrote: > >>>>> > >>>>>----------------------------------------------------------- > >>>>>This is an automatically generated e-mail. To reply, visit: > >>>>>https://reviews.apache.org/r/11194/ > >>>>>----------------------------------------------------------- > >>>>> > >>>>>Review request for cloudstack and Chip Childers. > >>>>> > >>>>> > >>>>>Summary (updated) > >>>>>----------------- > >>>>> > >>>>>Added PlainTextAuthenticator > >>>>> > >>>>> > >>>>>Description (updated) > >>>>>------- > >>>>> > >>>>>Added PlainTextAuthenticator for backward compatibility. Removed > >>MD5 > >>>>auth from PlainTextAuthenticator. It just does plain text compare. > >>>>> > >>>>> > >>>>>This addresses bug CLOUDSTACK-2516. > >>>>> > >>>>> > >>>>>Diffs (updated) > >>>>>----- > >>>>> > >>>>> client/tomcatconf/applicationContext.xml.in 849c0bc > >>>>> client/tomcatconf/componentContext.xml.in ecd4a11 > >>>>> plugins/user-authenticators/plain- > >>>>text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java > >>>>52e7cb3 > >>>>> > >>>>>Diff: https://reviews.apache.org/r/11194/diff/ > >>>>> > >>>>> > >>>>>Testing (updated) > >>>>>------- > >>>>> > >>>>>Tested login with password sent as both MD5 hash and plaintext > >>>>> > >>>>> > >>>>>Thanks, > >>>>> > >>>>>Kishan Kavala > >>>>> > >>>>> > >>>> > >>>> > >>>>-- > >>>>Ove Everlid > >>>>System Administrator / Architect / SDN & Linux hacker > >>>>Mobile: +46706662363 > >>>>Office: +4618656913 (note EMEA Time Zone) > >> > >> > >>-- > >>Ove Everlid > >>System Administrator / Architect / SDN & Linux hacker > >>Mobile: +46706662363 > >>Office: +4618656913 (note EMEA Time Zone) > > > -- > Ove Everlid > System Administrator / Architect / SDN & Linux hacker > Mobile: +46706662363 > Office: +4618656913 (note EMEA Time Zone) -- Prasanna., ------------------------ Powered by BigRock.com
