-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use secrets for node-passwd entries #2407
Conversation
e8bf80d
to
57af8d1
Compare
57af8d1
to
512e168
Compare
Can I ask why scrypt? It's intentionally memory-intensive to make ASIC-based cracking hard; with N=2^15 each password comparison will require allocating about 32MB of memory. Most current guidelines suggest use of argon2. |
scrypt was used here because it utilizes pbkdf2 and sha256 under the hood, and has been used for awhile in rancher/rancher for cluster auth tokens, and is probably an upgrade compared to the bcrypt hashing otherwise used for authentication there. Is the memory or cpu requirement in practice actually an issue? Which guidelines recommend using argon2? Is argon2 FIPS approved? |
Yeah I was curious about the fips question myself. Memory seems like a relevant consideration for edge use cases, but if scrypt is already vetted for use in rke2 then maybe we could just tune it for use in k3s? |
It feels like premature optimization, I don't think anything needs to be tuned (yet), but I suppose we could take some time testing on whatever relevant device. |
33b85b4
to
ee5c65e
Compare
Testing on x86 hashing is about ~100ms each, armv6 w/ rpi4 is ~600ms. As a non-interactive verification which should be infrequent this is probably acceptable. Memory usage should be fairly negligible assuming serial hashing as the memory is collected & re-used. Should be fairly easy to limit parallel hashing or lower scrypt N value if need as a future update. |
coreclient "github.com/rancher/wrangler-api/pkg/generated/controllers/core/v1" | ||
"github.com/sirupsen/logrus" | ||
core "k8s.io/api/core/v1" | ||
) | ||
|
||
func Register(ctx context.Context, configMap coreclient.ConfigMapController, nodes coreclient.NodeController) error { | ||
func Register(ctx context.Context, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: https://github.com/golang/go/wiki/CodeReviewComments#line-length
No change necessary.
@@ -31,3 +31,5 @@ if [ -n "$DIRTY" ]; then | |||
git status --porcelain --untracked-files=no | |||
exit 1 | |||
fi | |||
|
|||
"${GO}" test -v ./... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
ee5c65e
to
55ce180
Compare
55ce180
to
992ca52
Compare
Proposed Changes
Store node passwords as hashed secrets and remove on node delete.
Types of Changes
Bugfix
Verification
Linked Issues
For #802
Further Comments