Hash algo to use with file realm

Elastic Stack Elasticsearch
1

Using ES 7.13.0 , platinium licence, security enabled.

Using File-based user authentication | Elasticsearch Guide [7.13] | Elastic.

I am trying to setup "users" file, with username:password.

What is exactly the hash algo to use? I tried bcrypt from Php / Ansible (Python 3) or even online with https://bcrypt-generator.com/ , this never work .

It's working fine using elasticsearch-user useradd CLI. Looking at the code here elasticsearch/BCrypt.java at master · elastic/elasticsearch · GitHub, it looks a home made algo?

2

The bcrypt implementation is compatible with other implementations. Specifically, it is compatible with Python and whatever used for https://bcrypt-generator.com

For example, the following works in Python (hash value copied from users file):

import bcrypt
bcrypt.checkpw(b'password', b'$2a$10$EAxS6KaU2x3pQGZn/i4ldu5pVDAdUiaG7UZU9I2H..6N2WMF2KXoe')

The above works for https://bcrypt-generator.com as well. Note you need to choose Decrypt for checking. Bcrypt generates different hash each time for the same password because it uses salt to prevent rainbow table attack.

3

That online bcrypt generator is using a non-standard format.

$2y$ is a commonly used, but non-standard, prefix that was decided on by a number of tools to work around previous bugs in their implementations. We currently only accept the standard, canonical prefix of $2a$

We're likely to change our implementation to support $2y$ in order to be more compatible, but it's not a priority.

However, putting all of that aside, we don't support generating your own users file. We provide a tool and that is the only supported way to manage those files.

4

yes this is what I understand now. Very hard to use with prov. tool such as Ansible / Chef :confused:

Thanks you

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.