incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aaron morton <aa...@thelastpickle.com>
Subject Re: Questions about using MD5 encryption with SimpleAuthenticator
Date Wed, 18 May 2011 00:57:39 GMT
If you need it create a ticket on https://issues.apache.org/jira/browse/CASSANDRA 


Aaron

-----------------
Aaron Morton
Freelance Cassandra Developer
@aaronmorton
http://www.thelastpickle.com

On 18 May 2011, at 10:52, Sameer Farooqui wrote:

> Opps, my bad... please ignore the email below. It actually works with the plain text
password (I had forgotten to update the passwd.properties file on one node which was causing
the login to fail).
> 
> Example of successful login:
> ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com
-p 9160 -u jdoe -pw 'nosql' -k MDR  Connected to: "Demo_Cluster_beta1" on ec2-50-19-26-189.compute-1.amazonaws.com/9160
> Welcome to the Cassandra CLI.
> 
> 
> Would still be nice though to use the bcrypt hash over MD5 for stronger security.
> 
> 
> - Sameer
> 
> 
> On Tue, May 17, 2011 at 3:05 PM, Sameer Farooqui <cassandralabs@gmail.com> wrote:
> Hey Aaron,
> 
> Unfortunately it fails with plaintext password also:
> 
> ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com
-p 9160 -u jdoe -pw 'nosql' -k MDR  Login failure. Did you specify 'keyspace', 'username'
and 'password'?
> Welcome to the Cassandra CLI.
> <quit CLI manually>
> 
> ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com
-p 9160 -u jdoe -pw nosql -k MDR
> Login failure. Did you specify 'keyspace', 'username' and 'password'?
> Welcome to the Cassandra CLI.
> <quit CLI manually>
> 
> Regarding the security of MD5, I'm not a security guy either, but it seems quiet easy
to crack, especially for short passwords.
> 
> This website was quickly able to decrypt my MD5 digest (which is honestly not very complex)
and give me the original plaintext: http://md5.noisette.ch/index.php
> 
> Longer list of MD5 rainbow table sites: http://www.stottmeister.com/blog/2009/04/14/how-to-crack-md5-passwords/
> 
> Anyway, any help with the original question of how to input the password the the Cassandra-CLI
would be much appreciated!
> 
> 
> - Sameer
> 
> 
> 
> On Tue, May 17, 2011 at 1:03 PM, aaron morton <aaron@thelastpickle.com> wrote:
> Use the plain text password via the cli, the server will make a hash and compare it to
the one in the file. 
> 
> wrt SHA-2 I'm not a security guy but MD5 is probably "good enough" for the problem of
storing passwords in plain text in a file. 
> 
> Hope that helps. 
> 
> -----------------
> Aaron Morton
> Freelance Cassandra Developer
> @aaronmorton
> http://www.thelastpickle.com
> 
> On 17 May 2011, at 10:59, Sameer Farooqui wrote:
> 
>> By the way, just noticed a typo in my email below. I'm using the correct keyspace
name in all locations on the cluster... however in my examples below, I used MyKeyspace in
some spots and MDR in other spots, but in the cluster I'm specifying the same keyspace name
everywhere, so that's not the issue.
>> 
>> - Sameer
>> 
>> 
>> On Mon, May 16, 2011 at 3:55 PM, Sameer Farooqui <cassandralabs@gmail.com>
wrote:
>> Hi all,
>> 
>> We are trying to use MD5 encrypted passwords. Quick question first - Is SHA-2 supported
yet? US-CERT of the U. S. Department of Homeland Security has said that MD5 "should be considered
cryptographically broken and unsuitable for further use”, and SHA-2 family of hash functions
is recommended.
>> 
>> The issue I'm seeing is that when I turn on MD5 encryption, I can't log into the
cluster from Cassandra-CLI (I get a login failure).
>> 
>> The cassandra.in.sh file has been changed as so:
>> 
>> JVM_OPTS="
>>         -Dpasswd.properties=/home/ubuntu/apache-cassandra-0.8.0-beta1/conf/passwd.properties
\
>>         -Daccess.properties=/home/ubuntu/apache-cassandra-0.8.0-beta1/conf/access.properties
\
>>         -Dpasswd.mode=MD5"
>> 
>> 
>> And I ran this python script to generate a MD5 hash:
>> ubuntu@darknet:~$ python
>> Python 2.6.6 (r266:84292, Sep 15 2010, 15:52:39)
>> [GCC 4.4.5] on linux2
>> Type "help", "copyright", "credits" or "license" for more information.
>> >>> from hashlib import md5
>> >>> p = "nosql"
>> >>> h = md5(p).hexdigest()
>> >>> print h
>> 9fa1b39e7eb877367213e6f7e37d0b01
>> 
>> 
>> Then I updated the passwd.properties file with the new hashed password:
>> jdoe=9fa1b39e7eb877367213e6f7e37d0b01
>> 
>> 
>> Also, the access.properties file is properly set so that jdoe has rw access to the
keyspace and CF:
>> MyKeyspace.<rw>=jdoe,jsmith
>> MyKeyspace.MyCF.<rw>=jsmith,jdoe
>> 
>> 
>> But when I try to connect to the cluster now, I'm getting a login failure. I have
tried a few different ways of connecting:
>> 
>> Ran this from the Cassandra CLI: 
>> [default@unknown] connect ec2-50-19-26-189.compute-1.amazonaws.com/9160 jdoe '9fa1b39e7eb877367213e6f7e37d0b01';
>> Login failure. Did you specify 'keyspace', 'username' and 'password'?
>> 
>> 
>> Ran these from the Ubuntu CLI:
>> ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ bin/cassandra-cli -h
ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u jdoe -pw 9fa1b39e7eb877367213e6f7e37d0b01
-k MDR
>> Login failure. Did you specify 'keyspace', 'username' and 'password'?
>> 
>> 
>> ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ bin/cassandra-cli -h
ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u jdoe -pw '9fa1b39e7eb877367213e6f7e37d0b01'
-k MDR
>> Login failure. Did you specify 'keyspace', 'username' and 'password'?
>> 
>> 
>> Hmm, what am I doing wrong?
>> 
>> - Sameer
>> 
>> 
>> 
> 
> 
> 


Mime
View raw message