Heya, Just to be clear, the default setting (even with my commit) is still MD5. This is for backwards compatibility, so none of my changes should break the upgrade path or existing installations. I did some testing with an existing database and found no problems with users. That is obviously the typical 'it-works-on-my-laptop' type of statement, but I tried to do some serious testing. As always more testing is welcome.
SHA256 is just an addition for people that are more security minded, they can enable it themselves when they want to. Again, the default should stay on MD5 to guarantee backwards compatibility. Though in the future I would like to propose to set the default to sha256 for new installations, but that's another discussion. Cheers, Hugo > -----Original Message----- > From: Musayev, Ilya [mailto:[email protected]] > Sent: Tuesday, October 30, 2012 7:24 PM > To: [email protected] > Subject: RE: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help > needed > > Chiradeep, > > I take it back, > > Just looked at what Hugo proposed on commits, if we use SHA256 vs MD5 - it > will break auth for existing users. Can we stay with MD5? > > Thanks > ilya > > -----Original Message----- > From: Musayev, Ilya [mailto:[email protected]] > Sent: Tuesday, October 30, 2012 2:19 PM > To: [email protected] > Subject: RE: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help > needed > > Chiradeep, > > If we have a failback mechanism I mentioned earlier - it should not. > > Regards > Ilya > > -----Original Message----- > From: Chiradeep Vittal [mailto:[email protected]] > Sent: Tuesday, October 30, 2012 2:12 PM > To: CloudStack DeveloperList > Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help > needed > > Hugo, this will probably break anybody who upgrades? > > On 10/30/12 5:25 AM, "Hugo Trippaers" <[email protected]> > wrote: > > >Heya, > > > >I just pushed some changes to the auth mechanism to the master branch, > >maybe they make life a bit easier for you as well. > > > >The md5 crypt in the website is in my opinion a pretty useless feature. > >It might be argued that the prevents a man-on-the-middle sniffing that > >password, that is also what SSL/TLS is for and with the current > >implementation we don't even need the password. Just saving the hash is > >good enough to login. With my commit I've set the md5 hashing in the > >client to disabled by default. > > > >The creation of the admin user is now linked to the authenticator you > >have configured as the first in components.xml.in. It uses the encode > >method of that authenticator to hash the default password and stores > >the hash in the database. > > > >I've implemented a method in the LDAP authenticator that generates a > >random password for any LDAP accounts as there should be no need to > >store that in the database, just a bind to the AD should be enough. > > > >Hope this helps a bit. > > > >Cheers, > > > >Hugo > > > >> -----Original Message----- > >> From: Abhinandan Prateek [mailto:[email protected]] > >> Sent: Tuesday, October 30, 2012 5:33 AM > >> To: [email protected] > >> Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture > >> help needed > >> > >> Ilya, > >> Yes that is correct. We need to first disable the md5 encryption > >>being done by javascript. There is a variable > >>(md5Hashed/md5HashedLogin) setting in javascript that controls this. > >>If you can try this setting and switch the authenticator in > >>component.xml and submit the patch that would be great. > >> -abhi > >> > >> On 30/10/12 1:57 AM, "Musayev, Ilya" <[email protected]> wrote: > >> > >> >Abhi > >> > > >> >In order for this setting to work in componets.xml, > >> > > >> >1) we need to disable the md5hashedLogin (or set it to false) in > >> >sharedFunctions.js - because this encrypts the password within user > >> >browser session before its sent to CloudStack. > >> >Example: > >> > On login page, I login with username "abhi" and password "123456", > >> > when you press submit, because md5hashedLogin is set to true by > >> >default and javacript is ran on user browser session, the password > >> >now becomes "e10adc3949ba59abbe56e057f20f883e" and sent to CS for > >> verification > >> > component XML says my the password is plain text (while it's > >> >already stored as MD5 hash due to javascript) and submits it to > >> >LDAP-AD as plain method of authentication > >> > LDAP-AD attempts to match user "abhi" plain password "123456" > >> with - > >> >CS user "abhi" and password " e10adc3949ba59abbe56e057f20f883e" - > >> >this will result in ldap error 52e - invalid credentials > >> > * I've confirmed this behaviors with tcpdump / wireshark on > >> CS3.0.4 > >> >and > >> >CS4.0 > >> > > >> > > >> >2) default admin password (and other local user passwords) are > >> >stored as > >> >md5 hash in mysql, altering the adapter name="MD5" to > >> >PlainTextUserAuthenticator - will break local user authentication. > >> >It wont fix the LDAP issue because javascript overrides the password > >> >when user pressed submit. > >> > > >> >Regards > >> >ilya > >> > > >> > > >> >If we don't > >> > > >> >-----Original Message----- > >> >From: Abhinandan Prateek [mailto:[email protected]] > >> >Sent: Monday, October 29, 2012 1:02 AM > >> >To: [email protected] > >> >Subject: Re: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture > >> >help needed > >> > > >> >The javascipt encodes the password. We need to disable the encoding > >> >even for regular login. In component.xml replace > >> > > >> > <adapter name="MD5" > >> >class="com.cloud.server.auth.MD5UserAuthenticator"/> > >> > > >> > > >> >With > >> > <adapter name="MD5" > >> >class="com.cloud.server.auth.PlainTextUserAuthenticator"/> > >> > > >> >With above change the CS will start authenticating with un-encrypted > >> >passwords. This will now work with all external authentication > >> >systems including LDAP-AD. > >> > > >> >-abhi > >> > > >> > > >> > > >> >On 29/10/12 4:50 AM, "Musayev, Ilya" <[email protected]> wrote: > >> > > >> >>No takers :( ? > >> >> > >> >>I guess most people don't run evil empire AD. > >> >> > >> >>-----Original Message----- > >> >>From: Musayev, Ilya [mailto:[email protected]] > >> >>Sent: Friday, October 26, 2012 3:46 PM > >> >>To: [email protected] > >> >>Subject: [REVIEW] MS LDAP Auth patch - UI CSS and Architecture help > >> >>needed > >> >> > >> >>Below is a proof of concept code to get the Microsoft Active > >> >>Directory LDAP Authentication to work with CS3 and CS4. I've been > >> >>using it in my environment - so its tested and works well. > >> >> > >> >>Problem Description: > >> >> When user enter password in login page, the > >> >>password is encrypted via MD5 through javascript function that > >> >>checks if md5HashedLogin is set to true. If so, MD5 encoded > >> >>password is passed into JSP for further verification against an MD5 > >> >>stored password in local MySQL DB. Since MySQL DB password is also > >> >>MD5 encrypted, it will result in successful authentication. > >> >> If end-user enabled AD LDAP Authentication via API, > >> >>MS AD does not support MD5 hashed passwords. I tried altering > >> >>settings in > >> >>LDAP/MD5 settings in components.xml, but it has not helped because > >> >>the password is encrypted on user session level. > >> >> > >> >>Solution Details: > >> >> A very simple and somewhat elegant solution is to > >> >>add a checkbox on login page that would either set off or on > >> >>md5hashedLogin bolean logic via javascript function. Example if box > >> >>checked or unchecked > >> >>- do - md5HashedLogin = !md5HashedLogin - on each event. This > >> >>solution allows for both local and external authentication > >> >>mechanism to > >>function. > >> >> > >> >> > >> >>Review Needed: > >> >> > >> >> > >> >>1) What is your thought on including this patch into CS 4.0 and > >> >>backporting to 3.0? > >> >> > >> >>2) Can someone who has non MS LDAP env test this solution to see > >>if > >> >>it breaks anything. > >> >> > >> >>CSS Help: > >> >> While I was trying to make it look nice, CSS is not > >> >>my strongest skill and after sometime of fiddling with it, I had to > >> >>shift my focus on another more urgent task. I also figured for UI > >> >>guru this will be a 1 minute fix. if your CSS skills are better > >> >>than mine (that's almost everyone on this list), please help make > >> >>it a little more user appealing. > >> >> > >> >> > >> >>Implementation Details: > >> >> > >> >>There are probably 10 lines of code total to add in 3 files, > >> >>index.jsp, cloudstack3.css and sharedFunctions.js. The patch was > >> >>generated with "diff -u" which should work with linux patch > >> >>command, but if not - it will take less than 1 minute to make these > >> >>changes by > >>hand. > >> >> > >> >>Please let me know what your thoughts are on this patch once we > >> >>agree, I will make it proper as per developer guidelines. > >> >> > >> >> > >> >>/usr/share/cloud/management/webapps/client/index.jsp > >> >>--- /usr/share/cloud/management/webapps/client/index.jsp.orig1 > >> >>2012-10-25 13:50:49.244834323 -0400 > >> >>+++ /usr/share/cloud/management/webapps/client/index.jsp 2012- > 10-26 > >> >>+++ 15:04:17.836817297 -0400 > >> >>@@ -58,6 +58,10 @@ > >> >> <label for="password"><fmt:message > >> >>key="label.password"/></label> > >> >> <input type="password" name="password" > >>class="required" /> > >> >> </div> > >> >>+ <div class="field"> > >> >>+ MS AD LDAP AUTH > >> >>+ <input type="checkbox" name="ldap_auth" > >>id="ldap_auth" > >> >>value="0" onclick="my_ldap_auth();"/> > >> >>+ </div> > >> >> <!-- Domain --> > >> >> <div class="field domain"> > >> >> <label for="domain"><fmt:message > >> >>key="label.domain"/></label> > >> >> > >> >> > >> >> > >> >>--- > >> /usr/share/cloud/management/webapps/client/css/cloudstack3.css.orig > >> >> 2012-10-26 15:16:47.532831544 -0400 > >> >>+++ > /usr/share/cloud/management/webapps/client/css/cloudstack3.css > >> >> 2012-10-25 13:09:23.683813597 -0400 @@ -352,6 +352,11 @@ > >> >> text-shadow: 0px 1px 2px #000000; } > >> >>+.login .fields input[type=checkbox] { > >> >>+ display: block; > >> >>+} > >> >>+ > >> >>+ > >> >>.login .fields input[type=submit]:hover { > >> >> background-position: -563px -772px; } > >> >> > >> >>--- > >> > >>/usr/share/cloud/management/webapps/client/scripts/sharedFunctions. > >> >>j > >> s. > >> >>ori > >> >>g > >> >> 2012-10-26 15:19:22.334833312 -0400 > >> >>+++ > >> /usr/share/cloud/management/webapps/client/scripts/sharedFunctions. > >> >>+++ js > >> >> 2012-10-23 11:07:51.373793431 -0400 @@ -40,6 +40,13 @@ > >> >>var md5Hashed = true; var md5HashedLogin = true; > >> >>+//AD auth support by setting the md5HashedLogin to false function > >> >>+my_ldap_auth() { > >> >>+ md5HashedLogin = !md5HashedLogin; } > >> >>+ > >> >>+ > >> >>//page size for API call (e.g."listXXXXXXX&pagesize=N" ) var > >> >>pageSize = 20; > >> >> > >> > > >> > > >> > > > > > > >
