Hash algo to use with file realm

Using ES 7.13.0 , platinium licence, security enabled.

Using File-based user authentication | Elasticsearch Guide [7.13] | Elastic.

I am trying to setup "users" file, with username:password.

What is exactly the hash algo to use? I tried bcrypt from Php / Ansible (Python 3) or even online with https://bcrypt-generator.com/ , this never work .

It's working fine using elasticsearch-user useradd CLI. Looking at the code here elasticsearch/BCrypt.java at master · elastic/elasticsearch · GitHub, it looks a home made algo?

The bcrypt implementation is compatible with other implementations. Specifically, it is compatible with Python and whatever used for https://bcrypt-generator.com

For example, the following works in Python (hash value copied from users file):

import bcrypt
bcrypt.checkpw(b'password', b'$2a$10$EAxS6KaU2x3pQGZn/i4ldu5pVDAdUiaG7UZU9I2H..6N2WMF2KXoe')

The above works for https://bcrypt-generator.com as well. Note you need to choose Decrypt for checking. Bcrypt generates different hash each time for the same password because it uses salt to prevent rainbow table attack.

That online bcrypt generator is using a non-standard format.

$2y$ is a commonly used, but non-standard, prefix that was decided on by a number of tools to work around previous bugs in their implementations. We currently only accept the standard, canonical prefix of $2a$

We're likely to change our implementation to support $2y$ in order to be more compatible, but it's not a priority.

However, putting all of that aside, we don't support generating your own users file. We provide a tool and that is the only supported way to manage those files.

yes this is what I understand now. Very hard to use with prov. tool such as Ansible / Chef :confused:

Thanks you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.