Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable support for Digest Authentication #957

Closed
snej opened this issue Jun 30, 2015 · 6 comments
Closed

Enable support for Digest Authentication #957

snej opened this issue Jun 30, 2015 · 6 comments
Assignees
@adamcfraser
Labels
enhancement
Milestone
Future

Comments

@snej
Copy link
Contributor

snej commented Jun 30, 2015
edited by adamcfraser
Loading

We really shouldn't allow clients to authenticate using Basic auth over a non-SSL connection, since it leaks the user's credentials. (If this weren't so common, it would be considered a horrible security vulnerability.)

We do probably still need to support some sort of username/password auth for non-SSL, which means Digest auth (I don't know of any comparable alternatives.) Go's HTTP package doesn't support it, but there is a go-http-auth package that does and seems to be pretty easy to adopt.
@snej snej added the security label Jun 30, 2015
@snej
Copy link
Contributor Author

snej commented Jun 30, 2015

Note: iOS's ChangeTracker doesn't support Digest auth, but I'm in the middle of fixing that.

@adamcfraser
Copy link
Collaborator

Can SG support digest when it's storing passwords using bcrypt? I didn't think we had the ability to extract the password to build the MD5 hash for digest. Or is there a way around this?

@snej
Copy link
Contributor Author

snej commented Jul 1, 2015

That's a good point. If we were storing a MD5 or SHA digest of the password I think it would work (the server-side part of Digest auth doesn't actually require the password itself, just a digest) but not with something funky like jillions of rounds of bcrypt hashing.

@snej
Copy link
Contributor Author

snej commented Jul 1, 2015

From section 4.13 of the RFC:

   Digest authentication requires that the authenticating agent (usually
   the server) store some data derived from the user's name and password
   in a "password file" associated with a given realm. Normally this
   might contain pairs consisting of username and H(A1), where H(A1) is
   the digested value of the username, realm, and password as described
   above.
   The security implications of this are that if this password file is
   compromised, then an attacker gains immediate access to documents on
   the server using this realm. Unlike, say a standard UNIX password
   file, this information need not be decrypted in order to access
   documents in the server realm associated with this file.
   ... [T]he password file must be protected as if it contained unencrypted
   passwords, because for the purpose of accessing documents in its
   realm, it effectively does.

@tleyden
Copy link
Contributor

tleyden commented Jul 6, 2015

I think we would should add a property like allow_basic_auth_non_ssl which defaults to false. Users can override it if they need to (for local testing).

@adamcfraser adamcfraser self-assigned this Jul 6, 2015
@zgramana zgramana added this to the 1.2.0 milestone Jul 20, 2015
@zgramana zgramana modified the milestones: 1.2.0, 1.3 Feb 17, 2016
@zgramana zgramana changed the title Don't use Basic auth over unencrypted connections Enable support for Digest Authentication Mar 7, 2016
@adamcfraser adamcfraser modified the milestones: 1.3, Future May 26, 2016
@adamcfraser
Copy link
Collaborator

Closing this ticket, as JWT would be the preferred alternative to basic auth in non-SSL scenarios.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adamcfraser adamcfraser

Labels
enhancement
Projects
None yet
Milestone
Future
Development

No branches or pull requests
4 participants
@snej @tleyden @zgramana @adamcfraser