[libvirt PATCH 0/2] docs: less docs for insecure SASL mechanisms
Daniel P. Berrangé
berrange at redhat.com
Mon Mar 8 11:06:35 UTC 2021
On Mon, Mar 08, 2021 at 12:00:03PM +0100, Erik Skultety wrote:
> On Mon, Mar 08, 2021 at 10:41:55AM +0000, Daniel P. Berrangé wrote:
> > On Fri, Mar 05, 2021 at 08:02:49AM +0100, Erik Skultety wrote:
> > > On Thu, Mar 04, 2021 at 06:10:11PM +0000, Daniel P. Berrangé wrote:
> > > > GSSAPI and SCRAM-SHA-256 are the only two SASL mechanisms we
> > > > especially want people to be using. Even the latter is a little
> > > > questionable due to storing passwords in cleartext on the server.
> > >
> > > At what point of the SCRAM-SHA-256 auth process is password handled as clear
> > > text? I mean I tried to look up the issue you mention and couldn't find
> > > anything, quite the contrary, e.g. Postgres says SCRAM-SHA-256 is the only
> > > recommended scheme for password-based auth and storing passwords in clear text
> > > is not possible. Isn't it kind of the point that passwords are never stored in
> > > clear text with this scheme?
> >
> > You can clearly see the passwd in clear text in the file
> >
> > Add a new user
> >
> > $ echo "fish food" | saslpasswd2 -a libvirt demo
> >
> > Look for the password:
> >
> > $ strings /etc/libvirt/passwd.db | grep fish
> > fish food
> >
> > The actual mechanism protocol does send in clear text over the wire.
> > The storage in clear text on the server side is simply a choice of the
> > cyrus-sasl impl of this mechanism documented here:
> >
> > https://www.cyrusimap.org/sasl/sasl/faqs/plaintextpasswords.html
>
> So if this is the case, why are we even bothering promoting an insecure
> solution, why not promote only GSSAPI for the reasons given? Backcompat?
Calling it insecure is a rather absolutist view of security IMHO.
It *is* secure against network attackers, which is the primary risk
factor we're protecting against with our use of SASL.
To compromise the passwords requires the attacker to first compromise
the root account on the virt host. Anything is possible, but IMHO that
danger doesn't justify eliminating the SCRAM auth mechanism.
If we only promote GSSAPI, then the result is likely to be that people
run with no authentication at all, or make their own ill informed worse
choices.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list