gen_passwords.sh is not generating correct hashes

[MrRagnar]

I have generated a user and password-hash and put them in the users.yml file but I keep getting
"Unable to login Invalid username or password" when I try to login.
Logging in as blake with the password admin:first works just fine.
To test, I generated the hash for that password using htpasswd:

# echo admin:first | htpasswd -i -s -n test
test:{SHA}0sJmRmPZiSG3mjLYl0Zcd1M1W7I=

This differs from the hash in the default users.yml file:

# cat users.conf
blake:{SHA}Xziwl2ZuU/FOR4XXbjOfN7MMRNw=:engineering,infra,ops

Am I missing something or is the gen_passwords.sh broken? (missing a function to add a salt maybe?)

[william-richard]

Hi @MrRagnar
Sorry for the late response.
I actually just found an old ticket in our backlog. It looks like whomever generated the password in that users.conf file did not use admin:first for blake.
Did you say that you turned on file authentication using that config and you were able to log in as blake using admin:first as the password?
Really what we should probably do is use the correct sha in that users.conf file. I can try to spend a bit of time verifying this next week.

[MrRagnar]

Hello!
This is how my authentication.conf looks:

authentication {
  type = file
  file {
    file.userfile = "conf/users.conf"
  }
}

I have tried using both conf/users.conf and users.conf as the value for file.userfile

And here is my users.conf:

pekka:{SHA}d/F1MzIPfo+jLyxMx/TLH7ZGjkg=:engineering,infra,ops
blake:{SHA}Xziwl2ZuU/FOR4XXbjOfN7MMRNw=:engineering,infra,ops
matt:{SHA}dvxs8ZEUa332uMS+IaPl8PQ8lC4=:engineering,management
test:{SHA}nmZcGi9sch6TRiyn5uSMHgw5/Jg=:none
joeengineer:{SHA}Pkt4VUupqicwPeggw/osIEaGRAw=:engineering

Using this config I am able to login using blake and admin:first.
But not with the account pekka

[william-richard]

Sorry, I'm a bit confused. How did you generate the password sha for pekka?

[MrRagnar]

I used htpasswd with the options -s -n.
That is how I understand gen_passwords.sh does it.
The hash is for the password brapw.

[william-richard]

Sorry for taking so long to look at this.

TLDR - blake's password in the example users.conf file is wrong. I've opened #435 to fix it.

This is the code that is doing the password checking for file auth:
https://github.com/tumblr/collins/blob/master/app/collins/util/security/FileAuthenticationProvider.scala#L36
If I run the following:

scala> new BASE64Encoder().encode(MessageDigest.getInstance("SHA1").digest("admin:first".getBytes()))
res2: String = 0sJmRmPZiSG3mjLYl0Zcd1M1W7I=

I get the same results as htpassword:

$ htpasswd -n -b -s blake admin:first
blake:{SHA}0sJmRmPZiSG3mjLYl0Zcd1M1W7I=

When I tried running with the default users.conf file, and with file auth enabled, I was not able to log in as blake, which further confirms my suspicion that the default user.conf file is wrong.

When I added your pekka line to that file, I was able to log in as pekka using password brapw

I also created a new password with the gen_password script, and was able to auth using that password and the generated hash.

I've opened #435 to fix blake's password in the example users.conf file. I'm not totally sure what happened in your test @MrRagnar - let me know if you cannot replicate these results, and I'll keep helping you track down the problem.

Sorry again for taking so long to get back to this.

[discordianfish]

Wow this was painful! I ran into the same problem I think, this is what I found:

The sample configs like here are using auth.type = default, yet specifying a password file: https://github.com/tumblr/collins/blob/master/conf/authentication.conf#L3

Now the docs show the blake / admin:first credentials in the docs and the username in the file which makes you assume that file is actually used - but it's not. type = default uses some hardcoded credentials or whatever, not the specified file. Now people change the credentials in the file and wonder why they can't login with those new credentials...

So I would suggest to get rid of the default / mock auth altogether. Or is there a reason to have it? By default collins should use auth = file which I assume would also work for tests. I'd also consider it best practice to hardcode any credentials, let alone ones you can actually use to login. Just imaging accidentally changing type back to default and exposing the setup with the default credentials.