Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C8168417E for ; Tue, 17 May 2011 22:06:24 +0000 (UTC) Received: (qmail 46886 invoked by uid 500); 17 May 2011 22:06:22 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 46861 invoked by uid 500); 17 May 2011 22:06:22 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 46853 invoked by uid 99); 17 May 2011 22:06:22 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 May 2011 22:06:22 +0000 X-ASF-Spam-Status: No, hits=2.6 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,SPF_PASS,TRACKER_ID,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of cassandralabs@gmail.com designates 209.85.214.172 as permitted sender) Received: from [209.85.214.172] (HELO mail-iw0-f172.google.com) (209.85.214.172) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 May 2011 22:06:16 +0000 Received: by iwn39 with SMTP id 39so1011649iwn.31 for ; Tue, 17 May 2011 15:05:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=9awuuZCBp9FSME6UE/JdSMT/giabHfJGe+4uMPE+qSY=; b=RULV5F7h9LSLtG3+BprgCGx27HHQfmGbgseyM5aXfTeVIUql2I0qSz6LEMUsPfdYyk BoUYCbaBvKyA3LFpY++9YzL1TdObxIuwFNxmshZmJjg9Um7FEumFFjZnM8RbTQOULAzX ELhuyw2YuvE08qnyJVgKL59jW+PFr2P6o4J0c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=TXnHmIhNwqB7iTBKfqNOh+H3syj9fTp+IzDGtqE5TXaYmP+LoLjmPWng26OTvK3BFM Ab2XSLy8THO379BCfOC/L/P8FSMmVxlYgU1OHWFTvyJqjmQEFxX89a86S23Ud5z6fBIj wRvDwsEZbpJ/Ur/m3/qOAP7TUOAPgfwJ31L4I= MIME-Version: 1.0 Received: by 10.43.60.210 with SMTP id wt18mr1347692icb.25.1305669955153; Tue, 17 May 2011 15:05:55 -0700 (PDT) Received: by 10.231.211.142 with HTTP; Tue, 17 May 2011 15:05:55 -0700 (PDT) In-Reply-To: <74770DAE-665B-41D4-8A76-3FBD1BA0A27C@thelastpickle.com> References: <74770DAE-665B-41D4-8A76-3FBD1BA0A27C@thelastpickle.com> Date: Tue, 17 May 2011 15:05:55 -0700 Message-ID: Subject: Re: Questions about using MD5 encryption with SimpleAuthenticator From: Sameer Farooqui To: user@cassandra.apache.org Content-Type: multipart/alternative; boundary=bcaec51dd49bdeee7504a37ff988 X-Virus-Checked: Checked by ClamAV on apache.org --bcaec51dd49bdeee7504a37ff988 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hey Aaron, Unfortunately it fails with plaintext password also: ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u jdoe -pw 'nosql' -k MDR Login failure. Did you specify 'keyspace', 'username' and 'password'? Welcome to the Cassandra CLI. ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u jdoe -pw nosql -k MDR Login failure. Did you specify 'keyspace', 'username' and 'password'? Welcome to the Cassandra CLI. Regarding the security of MD5, I'm not a security guy either, but it seems quiet easy to crack, especially for short passwords. This website was quickly able to decrypt my MD5 digest (which is honestly not very complex) and give me the original plaintext: http://md5.noisette.ch/index.php Longer list of MD5 rainbow table sites: http://www.stottmeister.com/blog/2009/04/14/how-to-crack-md5-passwords/ Anyway, any help with the original question of how to input the password th= e the Cassandra-CLI would be much appreciated! - Sameer On Tue, May 17, 2011 at 1:03 PM, aaron morton wrot= e: > Use the plain text password via the cli, the server will make a hash and > compare it to the one in the file. > > wrt SHA-2 I'm not a security guy but MD5 is probably "good enough" for th= e > problem of storing passwords in plain text in a file. > > Hope that helps. > > ----------------- > Aaron Morton > Freelance Cassandra Developer > @aaronmorton > http://www.thelastpickle.com > > On 17 May 2011, at 10:59, Sameer Farooqui wrote: > > By the way, just noticed a typo in my email below. I'm using the correct > keyspace name in all locations on the cluster... however in my examples > below, I used MyKeyspace in some spots and MDR in other spots, but in the > cluster I'm specifying the same keyspace name everywhere, so that's not t= he > issue. > > - Sameer > > > On Mon, May 16, 2011 at 3:55 PM, Sameer Farooqui wrote: > >> Hi all, >> >> We are trying to use MD5 encrypted passwords. Quick question first - Is >> SHA-2 supported yet? US-CERT of the U. S. Department of Homeland Securit= y >> has said that MD5 "should be considered cryptographically broken and >> unsuitable for further use=94, and SHA-2 family of hash functions is >> recommended. >> >> The issue I'm seeing is that when I turn on MD5 encryption, I can't log >> into the cluster from Cassandra-CLI (I get a login failure). >> >> The cassandra.in.sh file has been changed as so: >> >> JVM_OPTS=3D" >> >> -Dpasswd.properties=3D/home/ubuntu/apache-cassandra-0.8.0-beta1/conf/pas= swd.properties >> \ >> >> -Daccess.properties=3D/home/ubuntu/apache-cassandra-0.8.0-beta1/conf/acc= ess.properties >> \ >> -Dpasswd.mode=3DMD5" >> >> >> And I ran this python script to generate a MD5 hash: >> ubuntu@darknet:~$ python >> Python 2.6.6 (r266:84292, Sep 15 2010, 15:52:39) >> [GCC 4.4.5] on linux2 >> Type "help", "copyright", "credits" or "license" for more information. >> >>> from hashlib import md5 >> >>> p =3D "nosql" >> >>> h =3D md5(p).hexdigest() >> >>> print h >> 9fa1b39e7eb877367213e6f7e37d0b01 >> >> >> Then I updated the passwd.properties file with the new hashed password: >> jdoe=3D9fa1b39e7eb877367213e6f7e37d0b01 >> >> >> Also, the access.properties file is properly set so that jdoe has rw >> access to the keyspace and CF: >> MyKeyspace.=3Djdoe,jsmith >> MyKeyspace.MyCF.=3Djsmith,jdoe >> >> >> But when I try to connect to the cluster now, I'm getting a login failur= e. >> I have tried a few different ways of connecting: >> >> Ran this from the Cassandra CLI: >> [default@unknown] connect ec2-50-19-26-189.compute-1.amazonaws.com/9160j= doe '9fa1b39e7eb877367213e6f7e37d0b01'; >> Login failure. Did you specify 'keyspace', 'username' and 'password'? >> >> >> Ran these from the Ubuntu CLI: >> ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ >> bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u >> jdoe -pw 9fa1b39e7eb877367213e6f7e37d0b01 -k MDR >> Login failure. Did you specify 'keyspace', 'username' and 'password'? >> >> >> ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ >> bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u >> jdoe -pw '9fa1b39e7eb877367213e6f7e37d0b01' -k MDR >> Login failure. Did you specify 'keyspace', 'username' and 'password'? >> >> >> Hmm, what am I doing wrong? >> >> - Sameer >> >> >> > > --bcaec51dd49bdeee7504a37ff988 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hey Aaron,

Unfortunately it fails with plaintext passwor= d also:

ubuntu@domU-12-31-39-0C-D9-13:~/apach= e-cassandra-0.8.0-beta1$ bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com= -p 9160 -u jdoe -pw 'nosql' -k MDR =A0Login failure. Did you speci= fy 'keyspace', 'username' and 'password'?
Welcome to the Cassandra CLI.
<quit CLI manually>

ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-= 0.8.0-beta1$ bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u = jdoe -pw nosql -k MDR
Login failure. Did you specify 'keyspace', 'username' = and 'password'?
Welcome to the Cassandra CLI.
=
<quit CLI manually>

Regarding the = security of MD5, I'm not a security guy either, but it seems quiet easy= to crack, especially for short passwords.

This website was quickly able to decrypt my MD5 digest = (which is honestly not very complex) and give me the original plaintext:=A0= http://md5.noisette.ch/index.p= hp


Anyway, any help with the original question of ho= w to input the password the the Cassandra-CLI would be much appreciated!


- Sameer



On Tue, May 17, 2011 at 1:03 = PM, aaron morton <aaron@thelastpickle.com> wrote:
Use the plain text password via the cli= , the server will make a hash and compare it to the one in the file.=A0
wrt SHA-2 I'm not a security guy but MD5 is probably &q= uot;good enough" for the problem of storing passwords in plain text in= a file.=A0

Hope that helps.=A0

-----------------
Aaron Morton
Freelance Cass= andra Developer
@aaronmorton

On 17 May 2011, at 10:59, Sameer Farooqui wrote:

By the way, just noticed a typo in my email below. I= 'm using the correct keyspace name in all locations on the cluster... h= owever in my examples below, I used=A0MyKeyspace in some spots and MDR in o= ther spots, but in the cluster I'm specifying the same keyspace name ev= erywhere, so that's not the issue.

- Sameer


On Mon, = May 16, 2011 at 3:55 PM, Sameer Farooqui <cassandralabs@gmail.com> wrote:
Hi all,

We are trying to = use MD5 encrypted passwords. Quick question first - Is SHA-2 supported yet?= =A0US-CERT of the U. S. Department of Homeland Security has said that MD5 "should= be considered cryptographically broken and unsuitable for further use=94, = and SHA-2 family of hash functions is recommended.

<= /div>
The issue I'm seeing is that when I turn on MD5 encry= ption, I can't log into the cluster from Cassandra-CLI (I get a login f= ailure).

The cassandra.in.sh file has been changed as so:

JVM_OPTS=3D"
=A0 =A0 =A0 =A0 -Dpasswd.properties=3D/h= ome/ubuntu/apache-cassandra-0.8.0-beta1/conf/passwd.properties \
=A0 =A0 =A0 =A0 -Daccess.properties=3D/home/ubuntu/apache-cassandra-0.= 8.0-beta1/conf/access.properties \
=A0 =A0 =A0 =A0 -Dpasswd.mode= =3DMD5"


And I ran this p= ython script to generate a MD5 hash:
ubuntu@darknet:~$ python
Python 2.6.6 (r266:84292, Sep = 15 2010, 15:52:39)
[GCC 4.4.5] on linux2
Type "hel= p", "copyright", "credits" or "license" = for more information.
>>> from hashlib import md5
>>> p =3D &quo= t;nosql"
>>> h =3D md5(p).hexdigest()
>= ;>> print h
9fa1b39e7eb877367213e6f7e37d0b01


Then I updated the passwd.properties file wit= h the new hashed password:
jdoe=3D9fa1b39e7eb877367213e6f7e3= 7d0b01


Also, the access.prope= rties file is properly set so that jdoe has rw access to the keyspace and C= F:
MyKeyspace.<rw>=3Djdoe,jsmith
MyKeyspa= ce.MyCF.<rw>=3Djsmith,jdoe


<= div>But when I try to connect to the cluster now, I'm getting a login f= ailure. I have tried a few different ways of connecting:

Ran this from the Cassandra CLI:=A0
[default@= unknown] connect ec2-50-19-26-189.compute-1.amazonaws.com/9160 = jdoe '9fa1b39e7eb877367213e6f7e37d0b01';
Login failure. Did you specify 'keyspace', 'username' = and 'password'?


Ran these f= rom the Ubuntu CLI:
ubuntu@domU-12-31-39-0C-D9-13:~/apache-c= assandra-0.8.0-beta1$ bin/cassandra-cli -h ec2-50-19-26-189.compute-1.a= mazonaws.com -p 9160 -u jdoe -pw 9fa1b39e7eb877367213e6f7e37d0b01 -k MD= R
Login failure. Did you specify 'keyspace', 'username' = and 'password'?


= ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ bin/cassandra= -cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u jdoe -p= w '9fa1b39e7eb877367213e6f7e37d0b01' -k MDR
Login failure. Did you specify 'keyspace', 'username' = and 'password'?


Hmm, = what am I doing wrong?

- Sameer





--bcaec51dd49bdeee7504a37ff988--