rabbitmq management password hash mismatch
2,365 views
Skip to first unread message
komu wairagu
Apr 27, 2017, 12:20:17 PM4/27/17
to rabbitmq-users
I created a test broker and then from the management view I downloaded the brokers definitions json file.
A snippet of that file is:
A snippet of that file is:
{
"rabbit_version": "3.5.7",
"users": [
{
"name": "guest",
"password_hash": "/dayLJQTJ7OvTjB2m8aWK+ou6TI=",
"tags": "administrator"
}
],
"vhosts": [
{
"name": "/"
}
],
The actual rabbitmq management login username and password are: guest, guest respectively.
My actual question is; since the password hash is displayed in the definitions file as "/dayLJQTJ7OvTjB2m8aWK+ou6TI=", what hashing algorithm was used to hash "guest" to produce such a hash?
I know from documentation, that rabbitmq by default uses sha256 to hash passwords but when I try to sha256 hash "guest" using my favourite programming language(python), I don't get the same value as the definitions json file.
My actual question is; since the password hash is displayed in the definitions file as "/dayLJQTJ7OvTjB2m8aWK+ou6TI=", what hashing algorithm was used to hash "guest" to produce such a hash?
I know from documentation, that rabbitmq by default uses sha256 to hash passwords but when I try to sha256 hash "guest" using my favourite programming language(python), I don't get the same value as the definitions json file.
import hashlib
hashlib.sha256('guest').hexdigest()
'84983c60f7daadc1cb8698621f802c0d9f9a3c3c295c810748fb048115c186ec'
Komu W
Michael Klishin
Apr 27, 2017, 12:57:35 PM4/27/17
to rabbitm...@googlegroups.com
3.5.7 uses MD5 exclusively. Other hashing functions were introduced in 3.6.0:
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
MK
Staff Software Engineer, Pivotal/RabbitMQ
komu wairagu
Apr 27, 2017, 1:23:51 PM4/27/17
to rabbitmq-users
Thanks for the reply.
Even if 3.5.7 uses MD5 exclusively, still the md5("guest") is not "/dayLJQTJ7OvTjB2m8aWK+ou6TI="
Even if 3.5.7 uses MD5 exclusively, still the md5("guest") is not "/dayLJQTJ7OvTjB2m8aWK+ou6TI="
import hashlib
hashlib.md5('guest').hexdigest()
'084e0343a0486ff05530df6c705c8bb4'
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
Apr 27, 2017, 1:26:45 PM4/27/17
to rabbitm...@googlegroups.com
Because a salt value is added:
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
komu wairagu
Apr 27, 2017, 1:34:36 PM4/27/17
to rabbitmq-users
Thanks very much.
What I'm trying to do is add a user to rabbitmq via configuration file(specificaly via a definition json file) instead of using the rabbitmqctl add_user commandline utility.
I'm using rabbitmq v3.6.9(the test above was done on rabbitmq 3.5.7, but my target in production is 3.6.9).
It appears since the passwords are salted before storing in definitions file I might not be able to add a user via config files. Is there an alternative that I'm missing?
What I'm trying to do is add a user to rabbitmq via configuration file(specificaly via a definition json file) instead of using the rabbitmqctl add_user commandline utility.
I'm using rabbitmq v3.6.9(the test above was done on rabbitmq 3.5.7, but my target in production is 3.6.9).
It appears since the passwords are salted before storing in definitions file I might not be able to add a user via config files. Is there an alternative that I'm missing?
Michael Klishin
Apr 27, 2017, 1:40:35 PM4/27/17
to rabbitm...@googlegroups.com, komu wairagu
Definitions can be exported and imported:
http://www.rabbitmq.com/management.html
Since definitions is a JSON document, you can edit it to combine more than file, for instance.
> To post to this group, send an email to rabbitm...@googlegroups.com.
http://www.rabbitmq.com/management.html
Since definitions is a JSON document, you can edit it to combine more than file, for instance.
komu wairagu
Apr 27, 2017, 2:03:44 PM4/27/17
to rabbitmq-users, kom...@gmail.com
sorry, if I'm not communicating clearly.
So let me ask an equivalent question.
RabbitMQ has a HTTP API and the latest stable version is available here: https://rawcdn.githack.com/rabbitmq/rabbitmq-management/rabbitmq_v3_6_9/priv/www/api/index.html
On the api to create users(/api/users/name), the documentation says:
To PUT a user, you will need a body looking something like this:
So my question is if I wanted to send a HTTP API request to create a new user and I want to use the password_hash parameter(as opposed to the password parameter) how would I generate the hash.
As an example lets say I want to create a user called mynewuser with password called strongpassword
So let me ask an equivalent question.
RabbitMQ has a HTTP API and the latest stable version is available here: https://rawcdn.githack.com/rabbitmq/rabbitmq-management/rabbitmq_v3_6_9/priv/www/api/index.html
On the api to create users(/api/users/name), the documentation says:
To PUT a user, you will need a body looking something like this:
{"password":"secret","tags":"administrator"}or:{"password_hash":"2lmoth8l4H0DViLaK9Fxi6l9ds8=", "tags":"administrator"}The tags key is mandatory. Either password or password_hash must be set.So my question is if I wanted to send a HTTP API request to create a new user and I want to use the password_hash parameter(as opposed to the password parameter) how would I generate the hash.
As an example lets say I want to create a user called mynewuser with password called strongpassword
curl -X PUT -i -u guest:guest -H 'Content-Type: application/json' -d '{"password_hash":"<PASSWORD_HASH>", "tags":"administrator"}' http://localhost:15672/api/users/mynewuser
How would I generate the value of <PASSWORD_HASH> so that it is the hash for strongpassword?
How would I generate the value of <PASSWORD_HASH> so that it is the hash for strongpassword?
Michael Klishin
Apr 27, 2017, 2:06:44 PM4/27/17
to rabbitm...@googlegroups.com, komu wairagu
I get the idea.
The only way to configure users via config file is by using definitions import. Which means
you can export them from a node where they were originally created with `rabbitmqctl` without
worrying about the HTTP API.
On 27 April 2017 at 20:03:48, komu wairagu (kom...@gmail.com) wrote:
> sorry, if I'm not communicating clearly.
>
> So let me ask an equivalent question.
>
> RabbitMQ has a HTTP API and the latest stable version is available
> here: https://rawcdn.githack.com/rabbitmq/rabbitmq-management/rabbitmq_v3_6_9/priv/www/api/index.html
> On the api to create users(/api/users/
> *name), the documentation says:*To PUT a user, you will need a body looking
> http://localhost:15672/api/users/mynewuser
>
> How would I generate the value of so that it is the hash
> > > To post to this group, send an email to rabbitm...@googlegroups.com
The only way to configure users via config file is by using definitions import. Which means
you can export them from a node where they were originally created with `rabbitmqctl` without
worrying about the HTTP API.
On 27 April 2017 at 20:03:48, komu wairagu (kom...@gmail.com) wrote:
> sorry, if I'm not communicating clearly.
>
> So let me ask an equivalent question.
>
> RabbitMQ has a HTTP API and the latest stable version is available
> here: https://rawcdn.githack.com/rabbitmq/rabbitmq-management/rabbitmq_v3_6_9/priv/www/api/index.html
> On the api to create users(/api/users/
> something like this:
>
> {"password":"secret","tags":"administrator"}
>
> or:
>
> {"password_hash":"2lmoth8l4H0DViLaK9Fxi6l9ds8=", "tags":"administrator"}
>
> The tags key is mandatory. Either password or password_hash must be set.
>
> So my question is if I wanted to send a HTTP API request to create a new
> user and I want to use the password_hash parameter(as opposed to the
> password parameter) how would I generate the hash.
>
> As an example lets say I want to create a user called mynewuser with
> password called strongpassword
>
> curl -X PUT -i -u guest:guest -H 'Content-Type: application/json' -d
> '{"password_hash":"", "tags":"administrator"}'
>
> {"password":"secret","tags":"administrator"}
>
> or:
>
> {"password_hash":"2lmoth8l4H0DViLaK9Fxi6l9ds8=", "tags":"administrator"}
>
> The tags key is mandatory. Either password or password_hash must be set.
>
> So my question is if I wanted to send a HTTP API request to create a new
> user and I want to use the password_hash parameter(as opposed to the
> password parameter) how would I generate the hash.
>
> As an example lets say I want to create a user called mynewuser with
> password called strongpassword
>
> curl -X PUT -i -u guest:guest -H 'Content-Type: application/json' -d
> http://localhost:15672/api/users/mynewuser
>
> How would I generate the value of so that it is the hash
Michael Klishin
Apr 27, 2017, 2:10:13 PM4/27/17
to rabbitm...@googlegroups.com, komu wairagu
Password salt is generated and applied when a user is created with a password.
HTTP API requries you to specify a password *hash*. When a hash is specified, it is used
as is:
https://github.com/rabbitmq/rabbitmq-management/blob/master/src/rabbit_mgmt_wm_user.erl#L155
Therefore you only need to compute a SHA-256 hash assuming you use a 3.6.x node and haven't altered the
hashing function.
> http://localhost:15672/api/users/mynewuser
>
> How would I generate the value of so that it is the hash
> > > To post to this group, send an email to rabbitm...@googlegroups.com
HTTP API requries you to specify a password *hash*. When a hash is specified, it is used
as is:
https://github.com/rabbitmq/rabbitmq-management/blob/master/src/rabbit_mgmt_wm_user.erl#L155
Therefore you only need to compute a SHA-256 hash assuming you use a 3.6.x node and haven't altered the
hashing function.
> sorry, if I'm not communicating clearly.
>
> So let me ask an equivalent question.
>
> RabbitMQ has a HTTP API and the latest stable version is available
> here: https://rawcdn.githack.com/rabbitmq/rabbitmq-management/rabbitmq_v3_6_9/priv/www/api/index.html
>
> So let me ask an equivalent question.
>
> RabbitMQ has a HTTP API and the latest stable version is available
> here: https://rawcdn.githack.com/rabbitmq/rabbitmq-management/rabbitmq_v3_6_9/priv/www/api/index.html
> On the api to create users(/api/users/
> *name), the documentation says:*To PUT a user, you will need a body looking
> something like this:
>
> {"password":"secret","tags":"administrator"}
>
> or:
>
> {"password_hash":"2lmoth8l4H0DViLaK9Fxi6l9ds8=", "tags":"administrator"}
>
> The tags key is mandatory. Either password or password_hash must be set.
>
> So my question is if I wanted to send a HTTP API request to create a new
> user and I want to use the password_hash parameter(as opposed to the
> password parameter) how would I generate the hash.
>
> As an example lets say I want to create a user called mynewuser with
> password called strongpassword
>
> curl -X PUT -i -u guest:guest -H 'Content-Type: application/json' -d
> '{"password_hash":"", "tags":"administrator"}'
>
> {"password":"secret","tags":"administrator"}
>
> or:
>
> {"password_hash":"2lmoth8l4H0DViLaK9Fxi6l9ds8=", "tags":"administrator"}
>
> The tags key is mandatory. Either password or password_hash must be set.
>
> So my question is if I wanted to send a HTTP API request to create a new
> user and I want to use the password_hash parameter(as opposed to the
> password parameter) how would I generate the hash.
>
> As an example lets say I want to create a user called mynewuser with
> password called strongpassword
>
> curl -X PUT -i -u guest:guest -H 'Content-Type: application/json' -d
> http://localhost:15672/api/users/mynewuser
>
> How would I generate the value of so that it is the hash
komu wairagu
Apr 27, 2017, 2:12:13 PM4/27/17
to rabbitmq-users, kom...@gmail.com
ok, cool.
Thanks.
komu wairagu
Apr 27, 2017, 7:02:41 PM4/27/17
to rabbitmq-users, kom...@gmail.com
>> Therefore you only need to compute a SHA-256 hash assuming you use a 3.6.x node and haven't altered the
hashing function.
hashing function.
I must be doing something wrong, I generated the sha256 of the string 'mypassword' using: http://www.xorbin.com/tools/sha256-hash-calculator
and the resulting hash is: 89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8
I then used this hash to send an API request to create a user.
I then used this hash to send an API request to create a user.
curl -X PUT -vkL -i -u guest:guest -H 'Content-Type: application/json' -d '{"password_hash":"89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8","tags":"administrator"}' http://localhost/api/users/mynewuser
I logged into the management UI using the default user: guest:guest and downloaded the definitions json file and sure mynewuser had been created:
......snippet.....
......snippet.....
{
"name": "mynewuser",
"password_hash": "89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8",
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": "administrator"
}
],
......snippet.....
......snippet.....
However, when I try to login to management UI using that user and password(ie mynewuser, mypassword) login fails.
Luke Bakken
Apr 28, 2017, 10:38:36 AM4/28/17
to rabbitmq-users, kom...@gmail.com
Hi Komu,
I think you should follow the instructions here:
http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/2011-May/012765.html
Here is the Erlang code that implements the algorithm described:
https://github.com/rabbitmq/rabbitmq-server/blob/master/src/rabbit_password.erl
I will be trying this out in my own environment and will report back shortly.
http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/2011-May/012765.html
Here is the Erlang code that implements the algorithm described:
https://github.com/rabbitmq/rabbitmq-server/blob/master/src/rabbit_password.erl
I will be trying this out in my own environment and will report back shortly.
Luke
Luke Bakken
Apr 28, 2017, 11:12:59 AM4/28/17
to rabbitmq-users, kom...@gmail.com
Komu,
I wrote a script to generate the base64 encoded version of the salted password: https://gist.github.com/lukebakken/7b4da46ed9abb7ed14f7a60b49f9e52e
I tested it on Arch Linux, but it should work as long as you have openssl installed. If you don't pass a new password as the first argument, newpassword is used.
Here's a transcript of testing it out with RabbitMQ 3.6.9:
Retrieve guest user information -
curl -u 'guest:guest' -H 'Content-Type: application/json' http://172.17.0.2:15672/api/users/guest
{"name":"guest","password_hash":"RHp8PmPTb6a1e5Lti157e1PRFCit9IukzO+qDRWtRCSHlO74","hashing_algorithm":"rabbit_password_hashing_sha256","tags":"administrator"}
Get hashed version of new password -
$ NEWPASS="$(./rmq-passwd-gen test1234)"
$ echo $NEWPASS
ETMFf4EAPwiLyNLq/6x5xnOcc/PLAnT6/OoWJilkxapzRfja
Use curl to set password via API -
$ curl -u 'guest:guest' -H 'Content-Type: application/json' -XPUT http://172.17.0.2:15672/api/users/guest -d "{\"password_hash\":\"$NEWPASS\",\"tags\":\"administrator\"}"
Confirm changed password - note the new credentials passed via the -u argument to curl:
$ curl -u 'guest:test1234' -H 'Content-Type: application/json' http://172.17.0.2:15672/api/users/guest{"name":"guest","password_hash":"ETMFf4EAPwiLyNLq/6x5xnOcc/PLAnT6/OoWJilkxapzRfja","hashing_algorithm":"rabbit_password_hashing_sha256","tags":"administrator"}
komu wairagu
Apr 28, 2017, 11:26:52 AM4/28/17
to rabbitmq-users, kom...@gmail.com
thanks, awesome.
Reply all
Reply to author
Forward
0 new messages