Are all authentication plugins loaded by default and working in an authentication chain? Otherwise why should we keep the hash type in DB?
> -----Original Message----- > From: Darren Shepherd [mailto:darren.s.sheph...@gmail.com] > Sent: Thursday, September 12, 2013 9:56 AM > To: dev@cloudstack.apache.org > Subject: plain text authenticator > > So if you set your password as blah and it gets hashed to xyz and stored in > the > users table. Because of the plain text authenticator, you can use that hashed > value as your password now. So specifically the below will work. > > http://localhost:8080/client/api?command=login&username=user&password=b > lah > > http://localhost:8080/client/api?command=login&username=user&password=x > yz > > This seems bad. Go and try it yourself (just be careful about URL encoding, > + > should be %2b). So because of the existence of the plain text authenticator, > passwords are still plain text but they just happen to be long random strings. > Typically in an auth system you store the hashing type with the hashed value. > So then the plain text authenticator would not even attempt to compare values > because it would see the value was hashed by a different authenticator. > > Darren
