cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chiradeep Vittal <>
Subject Re: Make the authenticator responsible for encoding the password and add a SHA256 salted authenticator
Date Tue, 30 Oct 2012 23:09:09 GMT
No, I saw this:

 // Default password is MD5 hashed.  Set the following variable to false
to disable this.
-var md5Hashed = true;
-var md5HashedLogin = true;
+var md5Hashed = false;
+var md5HashedLogin = false;

This led me to understand that the ui will send a plaintext password to
the backend.

It looks like the backend will encode it before comparing it with the DB
hence ensuring compatibility?

Anyway, it is probably wise to give a heads-up BEFORE doing such a change.
Ideally we should have a bug id.
Also, it looks like some unrelated stuff went into the same changeset

On 10/30/12 2:47 PM, "Hugo Trippaers" <>

>It shouldn't break anything, i did test this with a 4.0 database and had
>no trouble at all.
>Did you see something going wrong Chiradeep?
>Sent from my iPhone
>On 30 okt. 2012, at 21:10, "Wido den Hollander" <> wrote:
>> On 30-10-12 19:50, Chiradeep Vittal wrote:
>>> This probably breaks upgrade from 4.0. I would revert this until we
>>>find a
>>> solution that does not break upgrades.
>> Does it? As long as you don't enable this component it won't do a thing?
>> Wido
>>> On 10/30/12 5:16 AM, "Hugo Trippaers" <>
>>> wrote:
>>>> Hey all,
>>>> I just pushed some changes to the master branch. This is change based
>>>> some security requirements that we have for storing passwords and
>>>> The commit is here
>>>> t;h=bd58ceccd8d08a2484384a7eef6ef3c681a1e188
>>>> The main goal of this change was to add a new authenticator that uses
>>>> SHA256 algorithm and uses a salt.  This is now implemented, but to
>>>>get it
>>>> working I needed to make a few changes to how encryption was done.
>>>> I've tested with new code with an existing database and verified that
>>>> users can be created, can be updated (including passwords) and that
>>>> can login on the UI without any changes to the database. The default
>>>> authenticator is still set to the MD5Authenticator.
>>>> For people that want to use the new authenticator, just change the
>>>> and add the following line '<adapter
>>>> class="">' to
>>>> UserAuthenticator. Note that this prevent any existing users for
>>>> in as their passwords will be incorrect with the new authenticator.
>>>> Reference:
>>>> Cheers,
>>>> Hugo
>>>> Below the text of the commit for reference:
>>>> The authenticators now have an encode function that cloudstack will
>>>> to encode the user supplied password before storing it in the
>>>> This makes it easier to add other authenticators with other hashing
>>>> algorithms. The requires a two step approach to creating the admin
>>>> account at first start as the authenticators are only present in the
>>>> management-server component locator.
>>>> The SHA256 salted authenticator make use of this new system and adds a
>>>> hashing algorithm based on SHA256 with a salt. This type of hash is
>>>> less susceptible to rainbow table attacks.
>>>> To make use of these new features the users password will be sent over
>>>> the wire just as he typed it and it will be transformed into a hash on
>>>> the server and compared with the stored password. This means that the
>>>> hash will not go over the wire anymore.
>>>> The default authenticator in components.xml is still set to md5 for
>>>> backwards compatibility. For new installations the sha256 could be
>>>> enabled.

View raw message