RE: Review Request: Added PlainTextAuthenticator

Koushik Das Thu, 16 May 2013 11:28:15 -0700
Nice explanation Prasanna.
+1 to Kishan's fix.

> -----Original Message-----
> From: Prasanna Santhanam [mailto:t...@apache.org]
> Sent: Thursday, May 16, 2013 9:50 PM
> To: dev@cloudstack.apache.org
> Cc: Kishan Kavala
> Subject: Re: Review Request: Added PlainTextAuthenticator
> 
> On Thu, May 16, 2013 at 04:03:14PM +0200, Ove Ewerlid wrote:
> > I vote -1 for enabling plain text authentication allowing auth
> > directly against hashes. I'm not clear if this functionality exists in
> > ACS4.0, I would assume not.
> >
> > The API breakage reported was in createUser, where the ability to pass
> > in a hash has value. Think migration scenarios where only the hash is
> > known.
> >
> > createUser, createAccount and createDomain have, in v41, been enhanced
> > with parameters to allow specifying the UUID directly to accommodate
> > for external provisioning (or migration from older systems). The
> > ability to pass in existing hashes has value in these scenarios. There
> > is also value in being able to pass in a plain text password and have
> > it encrypted depending on how the external account provisioning is
> > done.
> 
> Chip, Ove,
> 
> There's two parts to this process - the auth and the encode.
> 
> In auth - existing tenants of your system send through their passwd over the
> wire that is compared with the password in your cloudstack database as
> follows:
> 
> Order of authenticators
> SHA256 > MD5 > PlainText
> 
> For a moment assume that Alice (existing user) sends only plaintext
> passwords as she entered in the system when her account was created:
> Her password in the db is say alicesecretsauce and she passes
> alicesecretesauce over-the-wire.
> 
> CloudStack will do the following while authenticating Alice:
> 1. Is SHA256(alicesecretsauce) == CloudStack_DB(alicesecretesauce) 2. Is
> MD5(alicesecretsauce) == CloudStack_DB(alicesecretesauce) 3. Is
> alicesecretsauce == CloudStack_DB(alicesecretesauce)
> 
> In your case since the DB contains the MD5 of alicesecretsauce against Alice's
> account the second comparison returns and authenticates Alice successfully
> after SHA256 fails.
> 
> Now let's say you upgrade to 4.1 with the same order of authenticators and
> bug fixed as sent in the patch by Kishan:
> 
> Let's look at Alice's case again:
> She sends alicesecretsauce over-the-wire - and the same process works out
> for her and she is able to login.
> 
> Now let's say Bob is a new account that is created in your system post-
> upgrade to 4.1:
> 
> When Bob creates his account, his password is encoded using the SHA256
> scheme since that's the first one in the configured list. So all new accounts
> now have a SHA256 value in the DB against them.
> 
> When Bob attempts to login the first comparison ie
> SHA256(bobsecretsauce) == CloudStack_DB(bobsecretsauce) and he too is
> allowed to login.
> 
> Coming to your scenario where you want to hash passwords which are
> coming over-the-wire: The scenario before upgrade should be clear so I
> won't explain it here.
> 
> Post-upgrade:
> Alice sends MD5(alicesecretsauce) as per your provisoner-
> 
> 1. Is SHA256(MD5(alicesecretsauce)) == CloudStack_DB(alicesecretesauce) 2.
> Is MD5(MD5(alicesecretsauce)) == CloudStack_DB(alicesecretesauce) 3. Is
> MD5(alicesecretsauce) == CloudStack_DB(alicesecretesauce)
> 
> So she is authenticated using the plaintext authenticator now in 3.
> Without that her auth fails. This is what Kishan is asking that you enable.
> 
> Bob on the other hand sends in MD5(bobsecretsauce) and his account was
> saved in the DB when your provisioner created his account with
> passwd:  SHA256(MD5(secretsauce)) thereby for him the 1st authenticator
> works and helps him login to cloudstack.
> 
> If I were you - I'd migrate everything with the plaintext authenticator
> enabled and then switch over to an auth mechanism that suits my security
> needs and my external provisioner.
> 
> For those moving from 2.2.x, 3.0.x, 4.0 to 4.1:
> 1. We remove the incorrect auth mechanism and put in the right fix of
> encoding at the server and not doing any UI magic.
> 2. We correct the API docs and other docs to indicate the user to send in
> plaintext so clients can adjust to the change.
> 3. We describe this migration situation as Ove encountered and how it can be
> corrected without any change using the plaintext authenticator.
> 
> I hope that this is fixed right and at the same time it doesn't break 
> backwards
> compatibility which is the solution that Kishan is proposing and I'd
> recommend too.
> 
> > Seems a new parameter is needed in createUser to allow both while
> > retaining backwards compat. Perhaps a parameter specifying the type of
> > hash or if the password is plain text that needs to be encrypted. If
> > this parameter is not present, the assumption should be that the
> > password is an MD5 hash, the old behavior.
> >
> > /Ove
> >
> > On 05/16/2013 03:23 PM, Kishan Kavala wrote:
> > >
> > >
> > >>-----Original Message-----
> > >>From: Ove Ewerlid [mailto:ove.ewer...@oracle.com]
> > >>Sent: Thursday, 16 May 2013 6:25 PM
> > >>To: dev@cloudstack.apache.org
> > >>Subject: Re: Review Request: Added PlainTextAuthenticator
> > >>
> > >>On 05/16/2013 02:16 PM, Kishan Kavala wrote:
> > >>>Ove,
> > >>>    Plain text authenticator will allow logging using the hash
> > >>>value. Or else,
> > >>clients sending MD5 hash will fail to login. This is primarily for
> > >>backward compatibility.
> > >>>To avoid logging in using has value itself, plain text
> > >>>authenticator can be
> > >>removed from auth adapter list, provided the client sends plain text
> > >>instead of hash.
> > >>
> > >>I'm not seeing the plain-text authenticator in ACS4.0 list of
> > >>authenticators (components.xml). MD5 and LDAP are listed. Help me
> > >>out, where in ACS4.0 is the code to allow login using the password hash
> itself?
> > >>
> > >>/Ove
> > >
> > >
> > >I checked 4.0 code.  plain-text authenticator is not in components.xml but
> it is part of the code.
> > >
> > >plugins/user-authenticators/plain-text/src/com/cloud/server/auth/Plai
> > >nTextUserAuthenticator.java
> > >
> > >It does MD5 has compare instead of plain text (don't know why), so it
> > >may not serve u'r purpose even after adding it to components.xml
> > >
> > >>
> > >>
> > >>>~kishan
> > >>>
> > >>>>-----Original Message-----
> > >>>>From: Ove Ewerlid [mailto:ove.ewer...@oracle.com]
> > >>>>Sent: Thursday, 16 May 2013 5:33 PM
> > >>>>To: dev@cloudstack.apache.org; Kishan Kavala
> > >>>>Subject: Re: Review Request: Added PlainTextAuthenticator
> > >>>>
> > >>>>Hi Kishan!
> > >>>>
> > >>>>Did you verify that adding the plain text authenticator will not
> > >>>>allow login using the hash value itself?
> > >>>>
> > >>>>
> > >>>>from AccountManagerImpl.java;
> > >>>>    ... getUserAccount ...
> > >>>>    ...
> > >>>>     boolean authenticated = false;
> > >>>>            for(UserAuthenticator authenticator : _userAuthenticators) {
> > >>>>                if (authenticator.authenticate(username, password,
> > >>>>domainId, requestParameters)) {
> > >>>>                    authenticated = true;
> > >>>>                    break;
> > >>>>                }
> > >>>>            }
> > >>>>    ...
> > >>>>
> > >>>>/Ove
> > >>>>
> > >>>>On 05/16/2013 12:39 PM, Kishan Kavala wrote:
> > >>>>>
> > >>>>>-----------------------------------------------------------
> > >>>>>This is an automatically generated e-mail. To reply, visit:
> > >>>>>https://reviews.apache.org/r/11194/
> > >>>>>-----------------------------------------------------------
> > >>>>>
> > >>>>>Review request for cloudstack and Chip Childers.
> > >>>>>
> > >>>>>
> > >>>>>Summary (updated)
> > >>>>>-----------------
> > >>>>>
> > >>>>>Added PlainTextAuthenticator
> > >>>>>
> > >>>>>
> > >>>>>Description (updated)
> > >>>>>-------
> > >>>>>
> > >>>>>Added PlainTextAuthenticator for backward compatibility. Removed
> > >>MD5
> > >>>>auth from PlainTextAuthenticator. It just does plain text compare.
> > >>>>>
> > >>>>>
> > >>>>>This addresses bug CLOUDSTACK-2516.
> > >>>>>
> > >>>>>
> > >>>>>Diffs (updated)
> > >>>>>-----
> > >>>>>
> > >>>>>     client/tomcatconf/applicationContext.xml.in 849c0bc
> > >>>>>     client/tomcatconf/componentContext.xml.in ecd4a11
> > >>>>>     plugins/user-authenticators/plain-
> > >>>>text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java
> > >>>>52e7cb3
> > >>>>>
> > >>>>>Diff: https://reviews.apache.org/r/11194/diff/
> > >>>>>
> > >>>>>
> > >>>>>Testing (updated)
> > >>>>>-------
> > >>>>>
> > >>>>>Tested login with password sent as both MD5 hash and plaintext
> > >>>>>
> > >>>>>
> > >>>>>Thanks,
> > >>>>>
> > >>>>>Kishan Kavala
> > >>>>>
> > >>>>>
> > >>>>
> > >>>>
> > >>>>--
> > >>>>Ove Everlid
> > >>>>System Administrator / Architect / SDN & Linux hacker
> > >>>>Mobile: +46706662363
> > >>>>Office: +4618656913 (note EMEA Time Zone)
> > >>
> > >>
> > >>--
> > >>Ove Everlid
> > >>System Administrator / Architect / SDN & Linux hacker
> > >>Mobile: +46706662363
> > >>Office: +4618656913 (note EMEA Time Zone)
> >
> >
> > --
> > Ove Everlid
> > System Administrator / Architect / SDN & Linux hacker
> > Mobile: +46706662363
> > Office: +4618656913 (note EMEA Time Zone)
> 
> --
> Prasanna.,
> 
> ------------------------
> Powered by BigRock.com
RE: Review Request: Added PlainTextAuthenticator

Reply via email to
