cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajesh Battala <rajesh.batt...@citrix.com>
Subject RE: plain text authenticator
Date Fri, 13 Sep 2013 04:47:59 GMT
It's not a good idea to iterate on all authenticators, if the real authenticator fails for
some reason( if it's not able to handle some exception properly) it will continue on invalid
authenticators and may result in wrong value/result.

Thanks
Rajesh Battala
-----Original Message-----	
From: Ian Duffy [mailto:ian@ianduffy.ie] 
Sent: Friday, September 13, 2013 2:52 AM
To: CloudStack Dev
Subject: Re: plain text authenticator

> Don't authenticators work as plugins in cloudstack with plain text
authenticator as default? I think we should leave it for the customer to decide whether he
wants to disable or keep the authenticator

Couldn't agree more with this! Going through each authenticator until a successful result
is found is horrible!


On 12 September 2013 19:09, Frank Zhang <Frank.Zhang@citrix.com> wrote:

> Are all authentication plugins loaded by default and working in an 
> authentication chain?
> Otherwise why should we keep the hash type in DB?
>
> > -----Original Message-----
> > From: Darren Shepherd [mailto:darren.s.shepherd@gmail.com]
> > Sent: Thursday, September 12, 2013 9:56 AM
> > To: dev@cloudstack.apache.org
> > Subject: plain text authenticator
> >
> > So if you set your password as blah and it gets hashed to xyz and 
> > stored
> in the
> > users table.  Because of the plain text authenticator, you can use 
> > that
> hashed
> > value as your password now.  So specifically the below will work.
> >
> > http://localhost:8080/client/api?command=login&username=user&passwor
> > d=b
> > lah
> >
> > http://localhost:8080/client/api?command=login&username=user&passwor
> > d=x
> > yz
> >
> > This seems bad.  Go and try it yourself (just be careful about URL
> encoding,  +
> > should be %2b).  So because of the existence of the plain text
> authenticator,
> > passwords are still plain text but they just happen to be long 
> > random
> strings.
> > Typically in an auth system you store the hashing type with the 
> > hashed
> value.
> > So then the plain text authenticator would not even attempt to 
> > compare
> values
> > because it would see the value was hashed by a different authenticator.
> >
> > Darren
>
Mime
View raw message