> Don't authenticators work as plugins in cloudstack with plain text authenticator as default? I think we should leave it for the customer to decide whether he wants to disable or keep the authenticator
Couldn't agree more with this! Going through each authenticator until a successful result is found is horrible! On 12 September 2013 19:09, Frank Zhang <frank.zh...@citrix.com> wrote: > Are all authentication plugins loaded by default and working in an > authentication chain? > Otherwise why should we keep the hash type in DB? > > > -----Original Message----- > > From: Darren Shepherd [mailto:darren.s.sheph...@gmail.com] > > Sent: Thursday, September 12, 2013 9:56 AM > > To: dev@cloudstack.apache.org > > Subject: plain text authenticator > > > > So if you set your password as blah and it gets hashed to xyz and stored > in the > > users table. Because of the plain text authenticator, you can use that > hashed > > value as your password now. So specifically the below will work. > > > > http://localhost:8080/client/api?command=login&username=user&password=b > > lah > > > > http://localhost:8080/client/api?command=login&username=user&password=x > > yz > > > > This seems bad. Go and try it yourself (just be careful about URL > encoding, + > > should be %2b). So because of the existence of the plain text > authenticator, > > passwords are still plain text but they just happen to be long random > strings. > > Typically in an auth system you store the hashing type with the hashed > value. > > So then the plain text authenticator would not even attempt to compare > values > > because it would see the value was hashed by a different authenticator. > > > > Darren >
