Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authentication hashes are available through the API #4917

Closed
1 of 2 tasks
dduportal opened this issue May 29, 2019 · 1 comment
Closed
1 of 2 tasks

Authentication hashes are available through the API #4917

dduportal opened this issue May 29, 2019 · 1 comment
Assignees
@ldez
Labels
area/api kind/bug/confirmed a confirmed bug (reproducible). priority/P0 needs hot fix status/5-frozen-due-to-age
Milestone
1.7

Comments

@dduportal
Copy link
Contributor

dduportal commented May 29, 2019
edited
Loading

Do you want to request a feature or report a bug?

Bug

Did you try using a 1.7.x configuration for the version 2.0?

  • Yes
  • No

What did you do?

  • Enabled Traefik API, creating a frontend protected with a user / password (see reproduction case below)
  • Fetched the API

What did you expect to see?

$ curl -u "user:password" http://localhost/api
{"docker":{"backends":{"backend-lb-api-auth-docker":{"servers":{"server-api-auth-lb-1-e42dd141b28258fda36b39d92119a422":{"url":"http://172.19.0.2:8080","weight":1}},"loadBalancer":{"method":"wrr"}}},"frontends":{"frontend-docker-lb-api-auth-docker":{"entryPoints":["http"],"backend":"backend-lb-api-auth-docker","routes":{"route-frontend-docker-lb-api-auth-docker":{"rule":"Host:localhost"}},"passHostHeader":true,"priority":0,"basicAuth":null,"auth":{"basic":{"users":["<OBFSUCATED>"]}}}}}}

What did you see instead?

$ curl -u "user:password" http://localhost/api
{"docker":{"backends":{"backend-lb-api-auth-docker":{"servers":{"server-api-auth-lb-1-e42dd141b28258fda36b39d92119a422":{"url":"http://172.19.0.2:8080","weight":1}},"loadBalancer":{"method":"wrr"}}},"frontends":{"frontend-docker-lb-api-auth-docker":{"entryPoints":["http"],"backend":"backend-lb-api-auth-docker","routes":{"route-frontend-docker-lb-api-auth-docker":{"rule":"Host:localhost"}},"passHostHeader":true,"priority":0,"basicAuth":null,"auth":{"basic":{"users":["user:$apr1$HFjubfEM$ZDbKJK872VzBLXv5DiQPd0"]}}}}}}

=> So I can totally use a rainbow table to de-hash the password until 14 characters easily (more is challenging as for today), even if there is a salt in the basic auth.

Output of traefik version: (What version of Traefik are you using?)

docker run traefik:1.7.11 version
Version:      v1.7.11
Codename:     maroilles
Go version:   go1.11.9
Built:        2019-04-26_08:42:33AM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

Simple reproduction case, with a frontend on the API itself for the sake of simplicity:
(Username is user and password is password)

version: '3'

services:
  lb:
    image: traefik:1.7.11
    command:
      - "--api"
      - "--docker"
    ports:
      - "80:80"
      - "8080:8080"
    labels:
      - "traefik.frontend.rule=Host:localhost"
      - "traefik.frontend.auth.basic.users=user:$$apr1$$HFjubfEM$$ZDbKJK872VzBLXv5DiQPd0"
      - "traefik.docker.port=8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"

If applicable, please paste the log output in DEBUG level (--log.level=DEBUG switch)

Not applicable
@dduportal dduportal added kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. priority/P0 needs hot fix labels May 29, 2019
@ldez ldez added kind/bug/confirmed a confirmed bug (reproducible). area/api and removed kind/bug/possible a possible bug that needs analysis before it is confirmed or fixed. status/0-needs-triage labels May 29, 2019
@ldez ldez mentioned this issue May 29, 2019
Merged
2 tasks
@traefiker
Copy link
Contributor

Closed by #4918.

@traefiker traefiker added this to the 1.7 milestone May 29, 2019
@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ldez ldez

Labels
area/api kind/bug/confirmed a confirmed bug (reproducible). priority/P0 needs hot fix status/5-frozen-due-to-age
Projects
None yet
Milestone
1.7
Development

No branches or pull requests
3 participants
@dduportal @ldez @traefiker