Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6F0124EF0 for ; Wed, 18 May 2011 00:58:18 +0000 (UTC) Received: (qmail 12780 invoked by uid 500); 18 May 2011 00:58:16 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 12724 invoked by uid 500); 18 May 2011 00:58:16 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 12715 invoked by uid 99); 18 May 2011 00:58:16 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 May 2011 00:58:16 +0000 X-ASF-Spam-Status: No, hits=3.3 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,TRACKER_ID X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [208.113.200.5] (HELO homiemail-a43.g.dreamhost.com) (208.113.200.5) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 May 2011 00:58:09 +0000 Received: from homiemail-a43.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a43.g.dreamhost.com (Postfix) with ESMTP id 79BBB8C05D for ; Tue, 17 May 2011 17:57:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=thelastpickle.com; h=from :mime-version:content-type:subject:date:in-reply-to:to :references:message-id; q=dns; s=thelastpickle.com; b=ZGdzzT22If 5NZPEkE/eA9aEJt8BOz4CnnByU8tWeme+HCD5WCDnwewzBp/hXCQLpHvacrcqSFw kphAQ6UwhxJArE4uS7NkdenKp99+ZzogDhxLnvs7zK1Bz0SnWwNbI8k6Gub9r2eE jgos3WzOSOFNQxvrzmbGGGsiC06RbOImM= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=thelastpickle.com; h=from :mime-version:content-type:subject:date:in-reply-to:to :references:message-id; s=thelastpickle.com; bh=ryiPme27kJUkeAAT EV1BtmNyCcQ=; b=LxdppFN3XYNlCOvJIX0tWlCkFEEuTdnUgURHNfltLpi5D8hP 7x16YmasIX9OtHypD2hx16zRad5nG6XaOrWy4gN6GvXVSb7Z3g3EzJiKqIxOU7Gx KZICulDpfjysfMyJHRTHHixwfxdl0Cz3fJONjqridhcPsQtvETuLLneVqLg= Received: from [10.0.1.151] (121-73-157-230.cable.telstraclear.net [121.73.157.230]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: aaron@thelastpickle.com) by homiemail-a43.g.dreamhost.com (Postfix) with ESMTPSA id A67908C058 for ; Tue, 17 May 2011 17:57:44 -0700 (PDT) From: aaron morton Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/alternative; boundary=Apple-Mail-23-955545394 Subject: Re: Questions about using MD5 encryption with SimpleAuthenticator Date: Wed, 18 May 2011 12:57:39 +1200 In-Reply-To: To: user@cassandra.apache.org References: <74770DAE-665B-41D4-8A76-3FBD1BA0A27C@thelastpickle.com> Message-Id: <5583FC36-1C79-46A3-8ED5-51D6F5AC15FB@thelastpickle.com> X-Mailer: Apple Mail (2.1084) X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail-23-955545394 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 If you need it create a ticket on = https://issues.apache.org/jira/browse/CASSANDRA=20 Aaron ----------------- Aaron Morton Freelance Cassandra Developer @aaronmorton http://www.thelastpickle.com On 18 May 2011, at 10:52, Sameer Farooqui wrote: > Opps, my bad... please ignore the email below. It actually works with = the plain text password (I had forgotten to update the passwd.properties = file on one node which was causing the login to fail). >=20 > Example of successful login: > ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ = bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u = jdoe -pw 'nosql' -k MDR Connected to: "Demo_Cluster_beta1" on = ec2-50-19-26-189.compute-1.amazonaws.com/9160 > Welcome to the Cassandra CLI. >=20 >=20 > Would still be nice though to use the bcrypt hash over MD5 for = stronger security. >=20 >=20 > - Sameer >=20 >=20 > On Tue, May 17, 2011 at 3:05 PM, Sameer Farooqui = wrote: > Hey Aaron, >=20 > Unfortunately it fails with plaintext password also: >=20 > ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ = bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u = jdoe -pw 'nosql' -k MDR Login failure. Did you specify 'keyspace', = 'username' and 'password'? > Welcome to the Cassandra CLI. > >=20 > ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ = bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u = jdoe -pw nosql -k MDR > Login failure. Did you specify 'keyspace', 'username' and 'password'? > Welcome to the Cassandra CLI. > >=20 > Regarding the security of MD5, I'm not a security guy either, but it = seems quiet easy to crack, especially for short passwords. >=20 > This website was quickly able to decrypt my MD5 digest (which is = honestly not very complex) and give me the original plaintext: = http://md5.noisette.ch/index.php >=20 > Longer list of MD5 rainbow table sites: = http://www.stottmeister.com/blog/2009/04/14/how-to-crack-md5-passwords/ >=20 > Anyway, any help with the original question of how to input the = password the the Cassandra-CLI would be much appreciated! >=20 >=20 > - Sameer >=20 >=20 >=20 > On Tue, May 17, 2011 at 1:03 PM, aaron morton = wrote: > Use the plain text password via the cli, the server will make a hash = and compare it to the one in the file.=20 >=20 > wrt SHA-2 I'm not a security guy but MD5 is probably "good enough" for = the problem of storing passwords in plain text in a file.=20 >=20 > Hope that helps.=20 >=20 > ----------------- > Aaron Morton > Freelance Cassandra Developer > @aaronmorton > http://www.thelastpickle.com >=20 > On 17 May 2011, at 10:59, Sameer Farooqui wrote: >=20 >> By the way, just noticed a typo in my email below. I'm using the = correct keyspace name in all locations on the cluster... however in my = examples below, I used MyKeyspace in some spots and MDR in other spots, = but in the cluster I'm specifying the same keyspace name everywhere, so = that's not the issue. >>=20 >> - Sameer >>=20 >>=20 >> On Mon, May 16, 2011 at 3:55 PM, Sameer Farooqui = wrote: >> Hi all, >>=20 >> We are trying to use MD5 encrypted passwords. Quick question first - = Is SHA-2 supported yet? US-CERT of the U. S. Department of Homeland = Security has said that MD5 "should be considered cryptographically = broken and unsuitable for further use=94, and SHA-2 family of hash = functions is recommended. >>=20 >> The issue I'm seeing is that when I turn on MD5 encryption, I can't = log into the cluster from Cassandra-CLI (I get a login failure). >>=20 >> The cassandra.in.sh file has been changed as so: >>=20 >> JVM_OPTS=3D" >> = -Dpasswd.properties=3D/home/ubuntu/apache-cassandra-0.8.0-beta1/conf/passw= d.properties \ >> = -Daccess.properties=3D/home/ubuntu/apache-cassandra-0.8.0-beta1/conf/acces= s.properties \ >> -Dpasswd.mode=3DMD5" >>=20 >>=20 >> And I ran this python script to generate a MD5 hash: >> ubuntu@darknet:~$ python >> Python 2.6.6 (r266:84292, Sep 15 2010, 15:52:39) >> [GCC 4.4.5] on linux2 >> Type "help", "copyright", "credits" or "license" for more = information. >> >>> from hashlib import md5 >> >>> p =3D "nosql" >> >>> h =3D md5(p).hexdigest() >> >>> print h >> 9fa1b39e7eb877367213e6f7e37d0b01 >>=20 >>=20 >> Then I updated the passwd.properties file with the new hashed = password: >> jdoe=3D9fa1b39e7eb877367213e6f7e37d0b01 >>=20 >>=20 >> Also, the access.properties file is properly set so that jdoe has rw = access to the keyspace and CF: >> MyKeyspace.=3Djdoe,jsmith >> MyKeyspace.MyCF.=3Djsmith,jdoe >>=20 >>=20 >> But when I try to connect to the cluster now, I'm getting a login = failure. I have tried a few different ways of connecting: >>=20 >> Ran this from the Cassandra CLI:=20 >> [default@unknown] connect = ec2-50-19-26-189.compute-1.amazonaws.com/9160 jdoe = '9fa1b39e7eb877367213e6f7e37d0b01'; >> Login failure. Did you specify 'keyspace', 'username' and 'password'? >>=20 >>=20 >> Ran these from the Ubuntu CLI: >> ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ = bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u = jdoe -pw 9fa1b39e7eb877367213e6f7e37d0b01 -k MDR >> Login failure. Did you specify 'keyspace', 'username' and 'password'? >>=20 >>=20 >> ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ = bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u = jdoe -pw '9fa1b39e7eb877367213e6f7e37d0b01' -k MDR >> Login failure. Did you specify 'keyspace', 'username' and 'password'? >>=20 >>=20 >> Hmm, what am I doing wrong? >>=20 >> - Sameer >>=20 >>=20 >>=20 >=20 >=20 >=20 --Apple-Mail-23-955545394 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 If = you need it create a ticket on https://issues.ap= ache.org/jira/browse/CASSANDRA 


Aaron

http://www.thelastpickle.com

On 18 May 2011, at 10:52, Sameer Farooqui wrote:

Opps, my = bad... please ignore the email below. It actually works with the plain = text password (I had forgotten to update the passwd.properties file on = one node which was causing the login to = fail).

Example of successful login:
ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ = bin/cassandra-cli -h ec2-50-19-26-189= .compute-1.amazonaws.com -p 9160 -u jdoe -pw 'nosql' -k MDR =  Connected to: "Demo_Cluster_beta1" on ec2-50-19-26= -189.compute-1.amazonaws.com/9160
Welcome to the Cassandra = CLI.


Would still be nice though = to use the bcrypt hash over MD5 for stronger = security.


- = Sameer


On Tue, May 17, 2011 at 3:05 PM, Sameer = Farooqui <cassandralabs@gmail.com> wrote:
Hey Aaron,

Unfortunately it fails with plaintext = password = also:

ubuntu@domU-12-31-39-0C-D9-13:~/apache= -cassandra-0.8.0-beta1$ bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 = -u jdoe -pw 'nosql' -k MDR  Login failure. Did you specify = 'keyspace', 'username' and 'password'?
Welcome to the Cassandra CLI.
<quit CLI = manually>

ubuntu@domU-12-31-39-0C-D9-13:~= /apache-cassandra-0.8.0-beta1$ bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 = -u jdoe -pw nosql -k MDR
Login failure. Did you specify 'keyspace', 'username' and = 'password'?
Welcome to the Cassandra = CLI.
<quit CLI = manually>

Regarding the security of = MD5, I'm not a security guy either, but it seems quiet easy to crack, = especially for short passwords.

This website was quickly able to decrypt my MD5 = digest (which is honestly not very complex) and give me the original = plaintext: http://md5.noisette.ch/index.php


Anyway, any help with the original question of = how to input the password the the Cassandra-CLI would be much = appreciated!


- = Sameer



On Tue, = May 17, 2011 at 1:03 PM, aaron morton <aaron@thelastpickle.com> wrote:
Use the plain text password via the = cli, the server will make a hash and compare it to the one in the = file. 

wrt SHA-2 I'm not a security guy but MD5 = is probably "good enough" for the problem of storing passwords in plain = text in a file. 

Hope that helps. 

-----------------
Aaron Morton
Freelance = Cassandra Developer
@aaronmorton

On 17 May 2011, at 10:59, Sameer Farooqui = wrote:

By the way, just noticed a = typo in my email below. I'm using the correct keyspace name in all = locations on the cluster... however in my examples below, I = used MyKeyspace in some spots and MDR in other spots, but in the = cluster I'm specifying the same keyspace name everywhere, so that's not = the issue.

- Sameer


On = Mon, May 16, 2011 at 3:55 PM, Sameer Farooqui <cassandralabs@gmail.com> wrote:
Hi = all,

We are trying to use MD5 encrypted passwords. = Quick question first - Is SHA-2 supported yet? US-CERT of the U. S. Department of Homeland Security has said that MD5 "should = be considered cryptographically broken and unsuitable for further use=94, = and SHA-2 family of hash functions is recommended.

The issue I'm seeing is that = when I turn on MD5 encryption, I can't log into the cluster from = Cassandra-CLI (I get a login failure).

The cassandra.in.sh file has been changed as = so:

JVM_OPTS=3D"
    =     = -Dpasswd.properties=3D/home/ubuntu/apache-cassandra-0.8.0-beta1/conf/passw= d.properties \
        = -Daccess.properties=3D/home/ubuntu/apache-cassandra-0.8.0-beta1/conf/acces= s.properties \
        = -Dpasswd.mode=3DMD5"


And I = ran this python script to generate a MD5 hash:
ubuntu@darknet:~$ python
Python 2.6.6 (r266:84292, = Sep 15 2010, 15:52:39)
[GCC 4.4.5] on linux2
Type = "help", "copyright", "credits" or "license" for more information.
>>> from hashlib import md5
>>> p =3D = "nosql"
>>> h =3D = md5(p).hexdigest()
>>> print = h
9fa1b39e7eb877367213e6f7e37d0b01


Then I updated the passwd.properties file = with the new hashed = password:
jdoe=3D9fa1b39e7eb877367213e6f7e37d0b01


Also, the access.properties file is = properly set so that jdoe has rw access to the keyspace and CF:
=
MyKeyspace.<rw>=3Djdoe,jsmith
MyKeysp= ace.MyCF.<rw>=3Djsmith,jdoe


But when I try to connect to the cluster now, I'm getting a login = failure. I have tried a few different ways of connecting:

Ran this from the Cassandra = CLI: 
[default@unknown] connect ec2-50-19-26-189.compute-1.amazonaws.com/9160 jdoe = '9fa1b39e7eb877367213e6f7e37d0b01';
Login failure. Did you specify 'keyspace', 'username' and = 'password'?


Ran these from the = Ubuntu = CLI:
ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0= -beta1$ bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 = -u jdoe -pw 9fa1b39e7eb877367213e6f7e37d0b01 -k MDR
Login failure. Did you specify 'keyspace', 'username' and = 'password'?


ubuntu@domU= -12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$ bin/cassandra-cli -h = ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 = -u jdoe -pw '9fa1b39e7eb877367213e6f7e37d0b01' -k MDR
Login failure. Did you specify 'keyspace', 'username' and = 'password'?


Hmm, what am I = doing wrong?

- Sameer



=




= --Apple-Mail-23-955545394--