[libvirt PATCH 0/2] docs: less docs for insecure SASL mechanisms
Daniel P. Berrangé
berrange at redhat.com
Mon Mar 8 10:41:55 UTC 2021
On Fri, Mar 05, 2021 at 08:02:49AM +0100, Erik Skultety wrote:
> On Thu, Mar 04, 2021 at 06:10:11PM +0000, Daniel P. Berrangé wrote:
> > GSSAPI and SCRAM-SHA-256 are the only two SASL mechanisms we
> > especially want people to be using. Even the latter is a little
> > questionable due to storing passwords in cleartext on the server.
>
> At what point of the SCRAM-SHA-256 auth process is password handled as clear
> text? I mean I tried to look up the issue you mention and couldn't find
> anything, quite the contrary, e.g. Postgres says SCRAM-SHA-256 is the only
> recommended scheme for password-based auth and storing passwords in clear text
> is not possible. Isn't it kind of the point that passwords are never stored in
> clear text with this scheme?
You can clearly see the passwd in clear text in the file
Add a new user
$ echo "fish food" | saslpasswd2 -a libvirt demo
Look for the password:
$ strings /etc/libvirt/passwd.db | grep fish
fish food
The actual mechanism protocol does send in clear text over the wire.
The storage in clear text on the server side is simply a choice of the
cyrus-sasl impl of this mechanism documented here:
https://www.cyrusimap.org/sasl/sasl/faqs/plaintextpasswords.html
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list