Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCRAM - support for using Hashed and salted passwords #863

Open
davidfrickert opened this issue Sep 20, 2024 · 6 comments
Open

SCRAM - support for using Hashed and salted passwords #863

davidfrickert opened this issue Sep 20, 2024 · 6 comments

Comments

@davidfrickert
Copy link

Hi all,

Reading the documentation of this project it seems to imply that SCRAM needs cleartext passwords in order to work. https://github.com/cyrusimap/cyrus-sasl/blob/master/docsrc/sasl/faqs/plaintextpasswords.rst

However I don't think this is true, as some reference implementations I've seen do store the hash, salt and iterations on the backend instead of the cleartext password.

If storing an hashed password currently is not supported, what could we do to support it?
@GuidoKiener
Copy link
Contributor

For the SCRAM Plugin you can set the options "scram_secret_generate=y" to force storing hashed passwords in the SASL database. You can also use the option "scram_iteration_counter=10000" to increase calculation time of the hashes.
Nevertheless when you support PLAIN or LOGIN, the passwords are still stored in plain text within the SASL database. To really solve this problem you have to implement the callback functions SASL_CB_SERVER_USERDB_CHECKPASS and SASL_CB_SERVER_USERDB_SETPASS. However it's a hard way to understand the callback jungle.

Strange, I just see this response is four years too late ... Is this project still alive?

@namsic
Copy link

namsic commented Nov 20, 2024

Hello. I have the same question.

I want to allow only SCRAM authentication in my application and avoid storing plain text passwords in the sasldb file.
Where should I set the scram_secret_generate=y option?

Can I use the following command?

saslpasswd2 -f my.sasldb -a myapp -n --scram_secret_generate=y -c user001

@GuidoKiener
Copy link
Contributor

To change options in a server or utils you have to implement a getopt function and set it with the callback mechanism SASL_CB_GETOPT.

Here is one example among others:

cyrus-sasl/utils/testsuite.c

Line 473 in ed79de0

int good_getopt(void *context __attribute__((unused)),

Just add a line to your server/tools option function like:

  else if (!strcmp(option, "scram_secret_generate")) {
    *result = "y";
    if (len)
      *len = (unsigned)strlen(*result);
    return SASL_OK;
  }

@namsic
Copy link

namsic commented Nov 21, 2024
edited
Loading

It was very helpful to see specific examples.

cyrus-sasl/utils/saslpasswd.c

Lines 239 to 253 in ed79de0

int good_getopt(void *context __attribute__((unused)),
const char *plugin_name __attribute__((unused)),
const char *option,
const char **result,
unsigned *len)
{
if (sasldb_path && !strcmp(option, "sasldb_path")) {
*result = sasldb_path;
if (len)
*len = (unsigned) strlen(sasldb_path);
return SASL_OK;
}
return SASL_FAIL;
} 

{
    if (sasldb_path && !strcmp(option, "sasldb_path")) {
	*result = sasldb_path;
	if (len)
	    *len = (unsigned) strlen(sasldb_path);
	return SASL_OK;
+   } else if (!strcmp(option, "scram_secret_generate")) {
+       *result = "y";
+       if (len)
+           *len = (unsigned)strlen(*result);
+       return SASL_OK;
    }

    return SASL_FAIL;
}

I modified the saslpasswd.c file as above and make it again.

saslpasswd2 -f myapp.sasldb -a myapp -c user01
# Password: 1234
saslpasswd2 -f myapp.sasldb -a myapp -c -n user02
# Password: 5678
b'user01\x00myhost\x00userPassword'     b'1234'
b'user02\x00myhost\x00authPassword'     b'SCRAM-SHA-1$4096:D1Xrw0Ts7q+R2MJpxJEr/A==$XBngQGUqgKY1VT27d769/GG9gSQ=:2bWpTZJXe5t9ILJgjPv3hKcwrkQ='
b'user02\x00ncp-2c4-001\x00cmusaslsecretOTP' b'md5\t0499\tnc2863\t74232d4b06004733\t00000000000000000000'

Now I can use SCRAM-SHA-1 authentication in my application without storing user02's plaintext password in the db.
However, I still cannot use other SCRAM authentication methods.

// sasl_server_start(SCRAM-SHA-512, /* data */, /* data length */)
SASL (severity 2): No valid SCRAM-SHA-512 secret found

cyrus-sasl/plugins/scram.c

Lines 1650 to 1655 in ed79de0

sparams->utils->getopt(sparams->utils->getopt_context,
/* This affects all SCRAM plugins, not just SCRAM-SHA-1 */
"SCRAM",
"scram_secret_generate",
&generate_scram_secret,
NULL);

Are there any other guides for using SCRAM-SHA-256 or SCRAM-SHA-512 authentication method?

@GuidoKiener
Copy link
Contributor

Your server should not offer all SCRAM-SHA-* variants. E.g. SCRAM-SHA-512 is not an approved standard yet. If you start from scratch, you could use SCRAM-SHA-256(-PLUS) and limit your offered mechanims e.g. with the option:
mech_list=GS2-KRB5 SCRAM-SHA-256 GSSAPI GSS-SPNEGO EXTERNAL PLAIN ANONYMOUS
Hint: do not add the PLUS variants. It's done automatically. Adding the text SCRAM-SHA-256-PLUS will fail your server.

This way your saslpasswd2 will create the entries for SCRAM-SHA-256

@Neustradamus
Copy link
Contributor

Good to see that more and more people use SCRAM SASL!

Note: About SCRAM-SHA-512(-PLUS) is not yet official but a lot of projects always use:

Linked to:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Neustradamus @davidfrickert @namsic @GuidoKiener