Hash algo to use with file realm

ebuildy · June 3, 2021, 5:51pm

Using ES 7.13.0 , platinium licence, security enabled.

Using File-based user authentication | Elasticsearch Guide [7.13] | Elastic.

I am trying to setup "users" file, with username:password.

What is exactly the hash algo to use? I tried bcrypt from Php / Ansible (Python 3) or even online with https://bcrypt-generator.com/ , this never work .

It's working fine using elasticsearch-user useradd CLI. Looking at the code here elasticsearch/BCrypt.java at master · elastic/elasticsearch · GitHub, it looks a home made algo?

Yang_Wang · June 3, 2021, 11:59pm

The bcrypt implementation is compatible with other implementations. Specifically, it is compatible with Python and whatever used for https://bcrypt-generator.com

For example, the following works in Python (hash value copied from users file):

import bcrypt
bcrypt.checkpw(b'password', b'$2a$10$EAxS6KaU2x3pQGZn/i4ldu5pVDAdUiaG7UZU9I2H..6N2WMF2KXoe')

The above works for https://bcrypt-generator.com as well. Note you need to choose Decrypt for checking. Bcrypt generates different hash each time for the same password because it uses salt to prevent rainbow table attack.

TimV · June 4, 2021, 5:46am

That online bcrypt generator is using a non-standard format.

$2y$ is a commonly used, but non-standard, prefix that was decided on by a number of tools to work around previous bugs in their implementations. We currently only accept the standard, canonical prefix of $2a$

We're likely to change our implementation to support $2y$ in order to be more compatible, but it's not a priority.

github.com/elastic/elasticsearch

_security API not accepting 2y bcrypt hashes

opened 10:42PM - 16 Jan 20 UTC

ceeeekay

:Security/Authentication Team:Security good first issue help wanted

**Elasticsearch version**: 7.5.1 **Plugins installed**: none **JVM ver…sion**: 13.0.1 **OS version** : Ubuntu 18.04.3 LTS **Description of the problem including expected versus actual behavior**: Attempting to use a 2y password_hash to create a user via the `_security` API results in an error Bcrypt `2a` and `2y` hashes generated by modern tools are functionally identical so I feel that this is a bug. Ubuntu htpasswd, for instance emits `2y` hashes which are not accepted by the API. Attempting to POST a `2y` bcrypt hash results in an error: `hash uses [NOOP]`. Simply changing the hash prefix to 2a works, however this means that *generated hashes (e.g., by scripts) can not be posted to the API without first being modified*. Expected behaviour: The API should accept valid `2y` bcrypt hashes. **Steps to reproduce**: 1. Create a bcrypt hash with `htpasswd`: ``` $ htpasswd -nBC10 test New password: <-- test Re-type new password: test:$2y$10$4KUQQvcSYBaQTWUP84ToX.N7CwwgPAT7d0JXofUyH8cH4LuFfT/Y6 ``` 2. Attempt to create a new user via the _security/user endpoint, using the hash generated in step (1.) ``` POST /_security/user/test { "password_hash" : "$2y$10$4KUQQvcSYBaQTWUP84ToX.N7CwwgPAT7d0JXofUyH8cH4LuFfT/Y6", "roles": "some_role" } { "error": { "root_cause": [ { "type": "illegal_argument_exception", "reason": "Provided password hash uses [NOOP] but the configured hashing algorithm is [BCRYPT]" } ], "type": "illegal_argument_exception", "reason": "Provided password hash uses [NOOP] but the configured hashing algorithm is [BCRYPT]" }, "status": 400 } ``` 2. Change the hash prefix to `2a`: ``` POST /_security/user/test { "password_hash" : "$2a$10$4KUQQvcSYBaQTWUP84ToX.N7CwwgPAT7d0JXofUyH8cH4LuFfT/Y6", "roles": "some_role" } { "created" : true } ```

However, putting all of that aside, we don't support generating your own users file. We provide a tool and that is the only supported way to manage those files.

ebuildy · June 4, 2021, 7:49am

yes this is what I understand now. Very hard to use with prov. tool such as Ansible / Chef

Thanks you

system · July 2, 2021, 7:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.