cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darren Shepherd <darren.s.sheph...@gmail.com>
Subject plain text authenticator
Date Thu, 12 Sep 2013 16:56:13 GMT
So if you set your password as blah and it gets hashed to xyz and stored 
in the users table.  Because of the plain text authenticator, you can 
use that hashed value as your password now.  So specifically the below 
will work.

http://localhost:8080/client/api?command=login&username=user&password=blah

http://localhost:8080/client/api?command=login&username=user&password=xyz

This seems bad.  Go and try it yourself (just be careful about URL 
encoding,  + should be %2b).  So because of the existence of the plain 
text authenticator, passwords are still plain text but they just happen 
to be long random strings.  Typically in an auth system you store the 
hashing type with the hashed value.  So then the plain text 
authenticator would not even attempt to compare values because it would 
see the value was hashed by a different authenticator.

Darren

Mime
View raw message