Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication hashes are available through the API #4917

Closed
dduportal opened this issue May 29, 2019 · 1 comment

Comments

Projects
None yet
3 participants
@dduportal
Copy link
Contributor

commented May 29, 2019

Do you want to request a feature or report a bug?

Bug

Did you try using a 1.7.x configuration for the version 2.0?

  • Yes
  • No

What did you do?

  • Enabled Traefik API, creating a frontend protected with a user / password (see reproduction case below)
  • Fetched the API

What did you expect to see?

$ curl -u "user:password" http://localhost/api
{"docker":{"backends":{"backend-lb-api-auth-docker":{"servers":{"server-api-auth-lb-1-e42dd141b28258fda36b39d92119a422":{"url":"http://172.19.0.2:8080","weight":1}},"loadBalancer":{"method":"wrr"}}},"frontends":{"frontend-docker-lb-api-auth-docker":{"entryPoints":["http"],"backend":"backend-lb-api-auth-docker","routes":{"route-frontend-docker-lb-api-auth-docker":{"rule":"Host:localhost"}},"passHostHeader":true,"priority":0,"basicAuth":null,"auth":{"basic":{"users":["<OBFSUCATED>"]}}}}}}

What did you see instead?

$ curl -u "user:password" http://localhost/api
{"docker":{"backends":{"backend-lb-api-auth-docker":{"servers":{"server-api-auth-lb-1-e42dd141b28258fda36b39d92119a422":{"url":"http://172.19.0.2:8080","weight":1}},"loadBalancer":{"method":"wrr"}}},"frontends":{"frontend-docker-lb-api-auth-docker":{"entryPoints":["http"],"backend":"backend-lb-api-auth-docker","routes":{"route-frontend-docker-lb-api-auth-docker":{"rule":"Host:localhost"}},"passHostHeader":true,"priority":0,"basicAuth":null,"auth":{"basic":{"users":["user:$apr1$HFjubfEM$ZDbKJK872VzBLXv5DiQPd0"]}}}}}}

=> So I can totally use a rainbow table to de-hash the password until 14 characters easily (more is challenging as for today), even if there is a salt in the basic auth.

Output of traefik version: (What version of Traefik are you using?)

docker run traefik:1.7.11 version
Version:      v1.7.11
Codename:     maroilles
Go version:   go1.11.9
Built:        2019-04-26_08:42:33AM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

Simple reproduction case, with a frontend on the API itself for the sake of simplicity:
(Username is user and password is password)

version: '3'

services:
  lb:
    image: traefik:1.7.11
    command:
      - "--api"
      - "--docker"
    ports:
      - "80:80"
      - "8080:8080"
    labels:
      - "traefik.frontend.rule=Host:localhost"
      - "traefik.frontend.auth.basic.users=user:$$apr1$$HFjubfEM$$ZDbKJK872VzBLXv5DiQPd0"
      - "traefik.docker.port=8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"

If applicable, please paste the log output in DEBUG level (--log.level=DEBUG switch)

Not applicable

@traefiker

This comment has been minimized.

Copy link

commented May 29, 2019

Closed by #4918.

@traefiker traefiker added this to the 1.7 milestone May 29, 2019

@traefiker traefiker closed this May 29, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.