icinga2
icinga2 copied to clipboard
Icinga
Introduce ApiUser#hashed_password
➜ icinga2 git:(feature/hash-credentials-6404) curl -skSu none: https://127.0.0.1:5665/v1/stats
<h1>Unauthorized. Please check your user credentials.</h1>
➜ icinga2 git:(feature/hash-credentials-6404) curl -skSu none:123456 https://127.0.0.1:5665/v1/stats
<h1>Unauthorized. Please check your user credentials.</h1>
➜ icinga2 git:(feature/hash-credentials-6404) curl -skSu none:123457 https://127.0.0.1:5665/v1/stats
<h1>Unauthorized. Please check your user credentials.</h1>
➜ icinga2 git:(feature/hash-credentials-6404) curl -skSu plain: https://127.0.0.1:5665/v1/stats
<h1>Unauthorized. Please check your user credentials.</h1>
➜ icinga2 git:(feature/hash-credentials-6404) curl -skSu plain:123456 https://127.0.0.1:5665/v1/stats
{"error":404.0,"status":"The requested path 'v1/stats' could not be found or the request method is not valid for this path."}
➜ icinga2 git:(feature/hash-credentials-6404) curl -skSu plain:123457 https://127.0.0.1:5665/v1/stats
<h1>Unauthorized. Please check your user credentials.</h1>
➜ icinga2 git:(feature/hash-credentials-6404) curl -skSu hash: https://127.0.0.1:5665/v1/stats
<h1>Unauthorized. Please check your user credentials.</h1>
➜ icinga2 git:(feature/hash-credentials-6404) curl -skSu hash:123456 https://127.0.0.1:5665/v1/stats
{"error":404.0,"status":"The requested path 'v1/stats' could not be found or the request method is not valid for this path."}
➜ icinga2 git:(feature/hash-credentials-6404) curl -skSu hash:123457 https://127.0.0.1:5665/v1/stats
<h1>Unauthorized. Please check your user credentials.</h1>
➜ icinga2 git:(feature/hash-credentials-6404)
➜ icinga2 git:(feature/hash-credentials-6404) cat prefix/etc/icinga2/conf.d/api-users.conf
/**
* The ApiUser objects are used for authentication against the API.
*/
object ApiUser "root" {
password = "e509e644a1cc8570"
// client_cn = ""
permissions = [ "*" ]
}
object ApiUser "hash" {
hashed_password = "$2y$10$uJUA0HVV3lHVVE0LsxPYZ.ioK2b7Lt82h6vwpgVBQSPqYjL7Jke7q"
}
object ApiUser "plain" {
password = "123456"
}
object ApiUser "none" {
}
➜ icinga2 git:(feature/hash-credentials-6404)
AFAIK the concept review is already positive: https://github.com/Icinga/icinga2/issues/6404#issuecomment-591300549
Hey @Al2Klimov,
I have some history to this topic that might help: A similar feature was introduced some years ago as password_hash (see apiuser.ti) but suffered greatly from the format. I see you are also planning on using this flawed approach and would recommend not following this path again.
Also why add another third party dependency and do the dangerous thing of doing it by hand when openssl can do the job for you lol
Kind regards, Diana
suffered greatly from the format
I don't quite understand. No one actually reads that, people just C&P that from $TOOL output.
Also why add another third party dependency
Have a look at Icinga DB's deps' amount :P
openssl can do the job for you
OpenSSL can $2y$? OK, now I'm all ears...
Of course it can't use the most bleeding edge hashing algorithms available, but who wants that? But you do you and I do not know the current requirements for this feature.
The format is the kicker. Feedback was it's a surprise to the user to find this format in the config when there are established best practices for hashes of this kind.
Your implementation wasn’t crypt(3) compatible. Mine is.
And it's the hot shit. <-- change my mind :)
Well you have to balance things here. What would be the best thing that OpenSSL would offer at the moment (must also be available on the ancient CentOS 7 version)? Is it really that bad that we have to vendor a bunch of code? I mean almost anything would be a huge improvement over the status quo.
If you don’t care about crypt(3) compatibility and accept something less secure than the best available, shall we (I) just reincarnate the old implementation using OpenSSL?
Tbh.: yes, we could cover the $2y$ -or at least $2a$- availability via unit tests and I even know how to make test Icinga 2 on OpenBSD and FreeBSD. But Windows has no crypt(3).