Use secrets for node-passwd entries #2407
Conversation
erikwilson
force-pushed
the
node-passwd-cleanup
branch
from
e8bf80d
to
57af8d1
Compare
erikwilson
force-pushed
the
node-passwd-cleanup
branch
from
57af8d1
to
512e168
Compare
|
Can I ask why scrypt? It's intentionally memory-intensive to make ASIC-based cracking hard; with N=2^15 each password comparison will require allocating about 32MB of memory. Most current guidelines suggest use of argon2. |
|
scrypt was used here because it utilizes pbkdf2 and sha256 under the hood, and has been used for awhile in rancher/rancher for cluster auth tokens, and is probably an upgrade compared to the bcrypt hashing otherwise used for authentication there. Is the memory or cpu requirement in practice actually an issue? Which guidelines recommend using argon2? Is argon2 FIPS approved? |
|
Yeah I was curious about the fips question myself. Memory seems like a relevant consideration for edge use cases, but if scrypt is already vetted for use in rke2 then maybe we could just tune it for use in k3s? |
|
It feels like premature optimization, I don't think anything needs to be tuned (yet), but I suppose we could take some time testing on whatever relevant device. |
erikwilson
force-pushed
the
node-passwd-cleanup
branch
4 times, most recently
from
33b85b4
to
ee5c65e
Compare
erikwilson
changed the title
|
Testing on x86 hashing is about ~100ms each, armv6 w/ rpi4 is ~600ms. As a non-interactive verification which should be infrequent this is probably acceptable. Memory usage should be fairly negligible assuming serial hashing as the memory is collected & re-used. Should be fairly easy to limit parallel hashing or lower scrypt N value if need as a future update. |
| coreclient "github.com/rancher/wrangler-api/pkg/generated/controllers/core/v1" | ||
| "github.com/sirupsen/logrus" | ||
| core "k8s.io/api/core/v1" | ||
| ) | ||
|
|
||
| func Register(ctx context.Context, configMap coreclient.ConfigMapController, nodes coreclient.NodeController) error { | ||
| func Register(ctx context.Context, |
There was a problem hiding this comment.
Nit: https://github.com/golang/go/wiki/CodeReviewComments#line-length
No change necessary.
| @@ -31,3 +31,5 @@ if [ -n "$DIRTY" ]; then | |||
| git status --porcelain --untracked-files=no | |||
| exit 1 | |||
| fi | |||
|
|
|||
| "${GO}" test -v ./... | |||
erikwilson
force-pushed
the
node-passwd-cleanup
branch
from
ee5c65e
to
55ce180
Compare
erikwilson
force-pushed
the
node-passwd-cleanup
branch
from
55ce180
to
992ca52
Compare
Proposed Changes
Store node passwords as hashed secrets and remove on node delete.
Types of Changes
Bugfix
Verification
Linked Issues
For #802
Further Comments