incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chiradeep Vittal <Chiradeep.Vit...@citrix.com>
Subject Re: user credntials
Date Mon, 30 Apr 2012 17:05:42 GMT
Just wanted to point out this only affects the session-based logins via
the GUI (although one can script this kind of API interaction as well).
API-key-based authentication continues as before.

On 4/30/12 9:15 AM, "Abhinandan Prateek" <Abhinandan.Prateek@citrix.com>
wrote:

>The deprecation of MD5 can be done in a graceful fashion with the
>following scheme:
>
>We add a Authenticator which can take plaintext password and add it after
>the MD5 authenticator.  Anyone who is already using the MD5 password in
>API will continue to function as they are now.
>Anyone upgrading is not affected.
>
>Any new integrator/cloudstack user can start using plaintext password in
>API without issues, as there is a plaintext authenticator in the chain.
>Again the use of SSL ensures channel security and keeps the password safe
>as is done by countless other websites taking plaintext passwords from
>the users.
>
>With plaintext passwords cloudstack can now seamlessly work with external
>authentication systems as well. With this we do not need a new parameter
>too, probably a warning in the logs saying that  this is going to be
>deprecated soon.
>
>-Abhi
>
>-----Original Message-----
>From: Kevin Kluge [mailto:Kevin.Kluge@citrix.com]
>Sent: Monday, April 30, 2012 9:30 PM
>To: Will Chan; cloudstack-dev@incubator.apache.org
>Subject: RE: user credntials
>
>This means the client has to figure out whether to send MD5 hash or
>cleartext on a per-cloud basis.  That seems unreasonable.
>
>Why don't we just send plain text passwords and expect the use of SSL?
>We'd have to add a new parameter and deprecate the current MD5 hash
>password.
>
>-kevin
>
>> -----Original Message-----
>> From: Will Chan
>> Sent: Saturday, April 28, 2012 4:39 PM
>> To: cloudstack-dev@incubator.apache.org; Kevin Kluge
>> Subject: RE: user credntials
>> 
>> The service provider (or whomever is hosting CloudStack) needs to make
>> that decision.  Using the default CS installation, we default to the
>> MD5UserAuthenticator which requires passwords passed to the login
>> command to be MD5 hashed.  This got changed to plain-text in 3.0 and
>> must be reverted back to MD5 in 3.0.2 when the upgrade patch is
>> released or anyone upgrading could get affected.
>> 
>> If the service/hosting provider wants to use a different hashing
>> algorithm -
>> OR- none, he can create or configure CS to use that adapter.  However,
>> they are responsible for informing their customer.
>> 
>> Will
>> 
>> ________________________________________
>> From: Abhinandan Prateek [Abhinandan.Prateek@citrix.com]
>> Sent: Saturday, April 28, 2012 3:28 PM
>> To: Kevin Kluge; cloudstack-dev@incubator.apache.org
>> Subject: RE: user credntials
>> 
>> The use of plaintext passwords in API is required for only those
>> cloudstack users who wish to use an external authentication mechanism
>> and will be documented.
>> The support for the encoded password has to be kept as is due to
>> existing users of cloudstack.
>> 
>> 
>> -----Original Message-----
>> From: Kevin Kluge
>> Sent: Sunday, April 29, 2012 1:09 AM
>> To: Abhinandan Prateek; cloudstack-dev@incubator.apache.org
>> Subject: RE: user credntials
>> 
>> How would an API client know to use cleartext or MD5 hash?
>> 
>> 
>> > -----Original Message-----
>> > From: Abhinandan Prateek
>> > Sent: Saturday, April 28, 2012 7:56 AM
>> > To: Kevin Kluge; cloudstack-dev@incubator.apache.org
>> > Subject: RE: user credntials
>> >
>> > In 2.2.* we were passing MD5 encoded password via UI. For Acton it
>> > changed to unencrypted password as that was the only way to have
>> > external systems to authenticate cloudstack users for example
>> > external
>> LDAP.
>> > This is being reverted back to MD5 encoded password in 3.0.2 as it
>> > was. It will be left to the admin to configure this encryption
>> > mechanism in case LDAP is in use.
>> >
>> > -Abhi
>> >
>> > -----Original Message-----
>> > From: Kevin Kluge
>> > Sent: Saturday, April 28, 2012 8:16 PM
>> > To: Abhinandan Prateek; cloudstack-dev@incubator.apache.org
>> > Subject: RE: user credntials
>> >
>> > Abhi, is this a backwards incompatible API change?   Also, what does
>>it
>> mean
>> > for upgrade?
>> >
>> > I thought we always sent MD5 hashed passwords from UI to MS.  Can
>> > you explain the change a bit more?
>> >
>> > -kevin
>> >
>> > > -----Original Message-----
>> > > From: Abhinandan Prateek
>> > > Sent: Saturday, April 28, 2012 12:14 AM
>> > > Subject: user credntials
>> > >
>> > > Team,
>> > >    There has been a change in the way passwords are being passed
>> > > from the cloudstack UI.  In case you have difficulty login with
>> > > the new 3.* build, clear your browser cache. If you are using API
>> > > to login then you need to provide
>> > > MD5 encrypted passwords to login instead of plaintext. In case you
>> > > still have issues drop me an email.
>> > > -Abhi


Mime
View raw message