Passwords stored in plaintext?
AndrewO
that passwords are stored in the clear (at least in the SQL store). I
was wondering if some sort of salted-hash mechanism could/should be
integrated into the password store?
-Andrew
Matt Forsyth
-Matt Forsyth
Ben Mabey
interested. We could also provide client code that we use in our rails
apps that actually creates the user and password. It is based off of a
40 char salt and SHA256 hash of the password plus salt. I don't think
anyone who bothers with a CAS server would really be using the plain
text SQL authenticator so I thought it was just there as an example of
how to build one.
-Ben
Matt Forsyth wrote:
> I am about to start working on an encypted password authenticator
> myself. Also I will be working on an openid authenticator sometime
> soon. Mr. Zukowski, would you like me to try to merge these into the
> codebase?
>
> -Matt Forsyth
>
> On Dec 12, 2007 10:27 PM, AndrewO <obrien...@gmail.com
AndrewO
I'd be interested in that. What are the chances of something like
this making it into the codebase? It seems like it would be a good
idea to get people storing their passwords right by default (plaintext
is nice for casual testing of course).
Is your client code based off of one of the existing salted hash Rails
plugins or did you do it completely from scratch?
-Andrew
On Dec 13, 12:39 am, Ben Mabey <b...@benmabey.com> wrote:
> We have already implemented a secure SQL authenticator if anyone is
> interested. We could also provide client code that we use in our rails
> apps that actually creates the user and password. It is based off of a
> 40 char salt and SHA256 hash of the password plus salt. I don't think
> anyone who bothers with a CAS server would really be using the plain
> text SQL authenticator so I thought it was just there as an example of
> how to build one.
>
> -Ben
>
> Matt Forsyth wrote:
> > I am about to start working on an encypted password authenticator
> > myself. Also I will be working on an openid authenticator sometime
> > soon. Mr. Zukowski, would you like me to try to merge these into the
> > codebase?
>
> > -Matt Forsyth
>
Matt Zukowski
Ben Mabey
want me to create a patch I can. I imagine you might want to tweak
things a bit:
The Authenticator:
http://pastie.caboo.se/128053
YAML Config file snippet:
http://pastie.caboo.se/128050
The CasUser that I use in my Rails apps (this is heavily based off of
restuful_authentication.) I have tried to only pull out the relevant
code. I may of missed something but this is the general idea:
http://pastie.caboo.se/128059
Matt Zukowski wrote:
> You're right, the SQL authenticatore included with RubyCAS-Server was
> meant more as a simple example. If you want to contribute your
> authenticator code, I'd be happy to include it in the official
> distribution. I'm not sure if we want user-creation code in the CAS
> server, as the general opinion in the CAS community seems to be that
> this is outside of the scope of what a CAS servershould do... but lets
> see what you have. Maybe it makes sense to include it at least as a
> nice convenience feature.
>
> On Dec 13, 2007 12:39 AM, Ben Mabey <b...@benmabey.com
> <mailto:b...@benmabey.com>> wrote:
>
>
> We have already implemented a secure SQL authenticator if anyone is
> interested. We could also provide client code that we use in our
> rails
> apps that actually creates the user and password. It is based off of a
> 40 char salt and SHA256 hash of the password plus salt. I don't think
> anyone who bothers with a CAS server would really be using the plain
> text SQL authenticator so I thought it was just there as an example of
> how to build one.
>
> -Ben
>
> Matt Forsyth wrote:
> > I am about to start working on an encypted password authenticator
> > myself. Also I will be working on an openid authenticator sometime
> > soon. Mr. Zukowski, would you like me to try to merge these
> into the
> > codebase?
> >
> > -Matt Forsyth
> >
> > On Dec 12, 2007 10:27 PM, AndrewO < obrien...@gmail.com
> <mailto:obrien...@gmail.com>
> > <mailto:obrien...@gmail.com
Matt Zukowski
RubyCAS-Server distribution.
Have a look at http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
This is inspired by your code, although I had to make some
modifications to simplify its deployment.
> > <mailto:obrien.and...@gmail.com>
> > > <mailto:obrien.and...@gmail.com
Ben Mabey
It looks good! Thanks for doing a writeup and everything. I really
like how you extracted the encryption stuff into a module that can be
reused in the apps.
My one question is why you choose to go down to SHA1 for the hashing of
the password? (salt I am fine with) My original code used SHA256. I
know SHA256 is probably overkill for most apps, but to be technical I
think that is what security experts are encouraging these days until a
better hashing algorithm comes out.
My vote would be to make SHA256 the default on the authenticator. If
you don't want to do that then maybe at least allow an option to change
it. I realize that this is ruby and so money patching it would be
trivial but having a setting in the YAML file would be even more
trivial. :) If you don't want to change it to 256 then I can make a
patch for the optional change in the YAML file. WDYT?
Again, thanks for doing that.
-Ben