incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From prasanna <>
Subject Re: Review Request: Make SHA256Salt the default password encoding and authentication mechanism for cloudstack
Date Thu, 21 Mar 2013 05:09:38 GMT
On 20 March 2013 23:56, Vijayendra Bhamidipati
<> wrote:
> Hi Chip, Prasanna,
> Yes, the change is pretty straightforward, the reasoning is to make default password
encoding more secure because the SHA256salted authenticator recently added by Hugo salts the
passwords while the existing MD5 authenticator doesn't, and is the default. This change gives
the CS admin the flexibility to choose the ordering of the encoders/authenticators. No new
authenticator/encoder classes needed to be added, the existing ones are simply used better.
> Upgrade scenarios were considered and these changes will have no effect on upgrades.
Only new users and updated users will have their passwords encoded by the first valid encoder
in the UserPasswordEncoder list. Existing users will still get authenticated as before since
authentication passes through all the authenticators available in the UserAuthenticator list
until one of them succeeds or all fail.

Thanks Vijay, I'm just wondering how does someone not dealing with the
UI know the auth mechanism to use? When login happens, when account
creation happens, or when api signing happens (unaffected?)? Is there
an API call that lists the authenticators in use on the deployment? So
the appropriate cipher can be applied at client side?

Also - could you list out a few tests that can be taken up to ensure
the feature is smoke tested. By that I mean - tests that will ensure
this feature isn't broken say when a new authenticator is used. I'm
looking to put them down as marvin tests.

View raw message