opensearch-project
[BUG] cannot use £ in a password
Describe the bug
Using a £ in a password makes it impossible to authenticate
Related component
Other
To Reproduce
Following this docs
docker pull opensearchproject/opensearch:latest
docker run -d -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=01982374£Abvfivb" opensearchproject/opensearch:latest
And then
curl https://localhost:9200 -ku 'admin:01982374£Abvfivb'
Will respond with Unauthorized
But running
docker pull opensearchproject/opensearch:latest
docker run -d -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=01982374Abvfivb" opensearchproject/opensearch:latest
And then
curl https://localhost:9200 -ku 'admin:01982374Abvfivb'
Works!
Expected behavior
Get a proper response when using a £ symbol in the password, like :
{
"name" : "56a871697249",
"cluster_name" : "docker-cluster",
"cluster_uuid" : "uPEiXZdCRmW8FvYr9K4GZQ",
"version" : {
"distribution" : "opensearch",
"number" : "2.14.0",
"build_type" : "tar",
"build_hash" : "aaa555453f4713d652b52436874e11ba258d8f03",
"build_date" : "2024-05-09T18:51:00.973564994Z",
"build_snapshot" : false,
"lucene_version" : "9.10.0",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
Additional Details
Plugins None
Screenshots
Password with pound sign
Password without pound sign
Host/Environment (please complete the following information):
- Latest docker image version (
756d2401537847f8bfb158a02a649a46adf7e7d15303a3692ed3d76586189d12)
Additional context Setting password is really frustrating, sometimes it asks for special symbol, but you can skip setting it and it lets you through, behaviour is really unpredictable
Looks like this bug should just be "£" cannot be used in a password. Do you have other characters that don't work?
Are you sure you didn't inherit a previous container?
Hey @dblock! thanks for reply.
I've just tested with €, ™ , © and à - it's the same problem, but using e.g. $ works fine.
Issue can be reproduced on both new and existing container
[Triage] Hi @phil-r thank you for filing this issue. This is currently the expected behavior based on the allowed password rules. However, we can use this issue as a request to expand the rules to allow non-standard special characters.
Hey @scrawfor99, thanks for taking a look into this, I believe there are 2 ways to solve this:
- starting opensearch with
OPENSEARCH_INITIAL_ADMIN_PASSWORDthat contains unsupported special characters should fail (like how it does if you set a weak password) - special characters should be supported when you try to login
Hi @phil-r if you want to change the password validation regex you can use the settings found here: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/support/ConfigConstants.java#L279
Otherwise the password is validated against: https://github.com/opensearch-project/security/blob/1d1b1ed7bb0d0c99e693c3571231d1f2b8b7cb7c/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java#L147
Hi @phil-r , as you can see the default value for regex used for admin password validation is this.
I did some further digging and it seems like password validation seems to be failing when using OpenBSDCrypt's checkPassword method. Will need some diving deep to understand the working of this method. It could be as simple as standard encoding recognition issue.
These are the logs from InternalAuthenticationBackend.java class just before OpenBSDCrypt.checkPassword() is executed.
opensearch-node1 | [2024-06-17T19:10:04,468][DEBUG][o.o.s.a.i.InternalAuthenticationBackend] [opensearch-node1] array: 01982374£Abvfivb
opensearch-node1 | [2024-06-17T19:12:40,607][DEBUG][o.o.s.a.i.InternalAuthenticationBackend] [opensearch-node1] Hash: $2y$12$m4cac6aU4Tqra/vuezrbNuxGH5tWf17AGsa2NIUR601BYlHTFiZdG
