-
-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use hashed passwords in settings.json #1650
Comments
The reason we don't do this is so you can easily move between instances and scale. |
whats the prob with moving between instances and hashed pwd's? Imho it doesn't matter, if I copy/paste my password or a hash of it ?!? |
It's probably possible to write a plugin that automatically hashes passwords when the user authenticates, so you can insert your pw as a hash in settings.json epl can compare hash with hash.. |
This patch of the authenticate function will add an optional possibility to log in with a hashed password, defined in settings.json. //// etherpad-lite/src/node/hooks/express/webaccess.js - Line 31:
var authenticate = function (cb) {
// If auth headers are present use them to authenticate...
if (req.headers.authorization && req.headers.authorization.search('Basic ') === 0) {
var userpass = new Buffer(req.headers.authorization.split(' ')[1], 'base64').toString().split(":")
var username = userpass.shift();
var password = userpass.join(':');
// first check if hash is defined in settings.json
if (settings.users[username] != undefined) {
if (settings.users[username].hash != undefined) {
// it is defined therfore it has priority, create the hash variable of the input password
var crypto = require('crypto');
var hash = crypto.createHash('sha512').update(password).digest('hex');
// authenticate against that hash
if (settings.users[username].hash == hash) {
settings.users[username].username = username;
req.session.user = settings.users[username];
return cb(true);
}
} else {
// no hash was defined in settings.json, do normal password based authentication
if (settings.users[username].password == password) {
settings.users[username].username = username;
req.session.user = settings.users[username];
return cb(true);
}
}
}
return hooks.aCallFirst("authenticate", {req: req, res:res, next:next, username: username, password: password}, hookResultMangle(cb));
}
hooks.aCallFirst("authenticate", {req: req, res:res, next:next}, hookResultMangle(cb));
}
//// Continiue @ /* Authentication OR authorization failed. */ |
Hi @LaKing I think the hashing of the password is good but the passwords are still unsalted which is a problem. |
Hi, .. I'm thinking of adding certificate authentication, as an additional possibility to this plugin. While I will work on that, I can add some salt - however if you want you can submit a patch or something to speed things up. |
I don't think this is quite resolved, namely because the plugin doesn't seem to work quite as expected. For example, the installer warns about a pluingw mismatch between node_modules/async as an unmet dependency (using the lastest build of etherpad). I manually created a "users": { "username" : { "hash" : {"hash_value", "is_admin: false,} entry and whenever i try to login it just spins on login (i.e. no password reject for being wrong, no connection timeout and no feedback to the end user). I can login using the unhashed usernames so i don't know if the problem is in the settings.json. Thoughts? @LaKing ? |
Your syntax seems to be wrong.
|
For 1.7 (the upcoming release) we cannot do much more than mentioning It could be mainlined, provided the original author allows it, the code is polished, usability problems are overcome... |
@muxator as far as I remember, I had no installation problems ( ether/ep_hash_auth#2 ) any more (running debian 10 aka buster/sid). |
@muxator, I don't really plan to maintain the plugin further. I think this functionality should be built-in into etherpad out of the box, especially with the new regulations from the EU. ... |
Thanks, @LaKing, I understand. Please tell me what you think about it. Thanks again! |
Would be nice to use hashed passes there; maybe an additional JS tool (in ./tools) to create hashed pwds. Maybe the tool could even handle "account creation" for /admin, i.e. ask for user, pass and if is_admin.
The text was updated successfully, but these errors were encountered: