Use hashed passwords in settings.json #1650
Comments
|
The reason we don't do this is so you can easily move between instances and scale. |
|
whats the prob with moving between instances and hashed pwd's? Imho it doesn't matter, if I copy/paste my password or a hash of it ?!? |
|
It's probably possible to write a plugin that automatically hashes passwords when the user authenticates, so you can insert your pw as a hash in settings.json epl can compare hash with hash.. |
|
This patch of the authenticate function will add an optional possibility to log in with a hashed password, defined in settings.json. //// etherpad-lite/src/node/hooks/express/webaccess.js - Line 31:
var authenticate = function (cb) {
// If auth headers are present use them to authenticate...
if (req.headers.authorization && req.headers.authorization.search('Basic ') === 0) {
var userpass = new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString().split(":")
var username = userpass.shift();
var password = userpass.join(':');
// first check if hash is defined in settings.json
if (settings.users[username] != undefined) {
if (settings.users[username].hash != undefined) {
// it is defined therfore it has priority, create the hash variable of the input password
var crypto = require('crypto');
var hash = crypto.createHash('sha512').update(password).digest('hex');
// authenticate against that hash
if (settings.users[username].hash == hash) {
settings.users[username].username = username;
req.session.user = settings.users[username];
return cb(true);
}
} else {
// no hash was defined in settings.json, do normal password based authentication
if (settings.users[username].password == password) {
settings.users[username].username = username;
req.session.user = settings.users[username];
return cb(true);
}
}
}
return hooks.aCallFirst("authenticate", {req: req, res:res, next:next, username: username, password: password}, hookResultMangle(cb));
}
hooks.aCallFirst("authenticate", {req: req, res:res, next:next}, hookResultMangle(cb));
}
//// Continiue @ /* Authentication OR authorization failed. */ |
|
Hi @LaKing I think the hashing of the password is good but the passwords are still unsalted which is a problem. |
|
Hi, .. I'm thinking of adding certificate authentication, as an additional possibility to this plugin. While I will work on that, I can add some salt - however if you want you can submit a patch or something to speed things up. |
|
I don't think this is quite resolved, namely because the plugin doesn't seem to work quite as expected. For example, the installer warns about a pluingw mismatch between node_modules/async as an unmet dependency (using the lastest build of etherpad). I manually created a "users": { "username" : { "hash" : {"hash_value", "is_admin: false,} entry and whenever i try to login it just spins on login (i.e. no password reject for being wrong, no connection timeout and no feedback to the end user). I can login using the unhashed usernames so i don't know if the problem is in the settings.json. Thoughts? @LaKing ? |
|
Your syntax seems to be wrong. |
|
For 1.7 (the upcoming release) we cannot do much more than mentioning It could be mainlined, provided the original author allows it, the code is polished, usability problems are overcome... |
|
@muxator as far as I remember, I had no installation problems ( ether/ep_hash_auth#2 ) any more (running debian 10 aka buster/sid). |
|
@muxator, I don't really plan to maintain the plugin further. I think this functionality should be built-in into etherpad out of the box, especially with the new regulations from the EU. ... |
|
Thanks, @LaKing, I understand. Please tell me what you think about it. Thanks again! |
Would be nice to use hashed passes there; maybe an additional JS tool (in ./tools) to create hashed pwds. Maybe the tool could even handle "account creation" for /admin, i.e. ask for user, pass and if is_admin.
The text was updated successfully, but these errors were encountered: