Plain-text passwords in your ZODB
So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)? Look for them in /++etc++site/default/PersistentSessionDataContainer, inside the numerous SessionCredentials objects. I would like to release zope.pluggableauth 1.2 with this change: http://zope3.pov.lt/trac/changeset/118971/zope.pluggableauth so that people could supply a different SessionCredentials implementation if they so desire. For example, they could use keas.kmi.persistent.EncryptedPersistent as a base class. Any comments/objections/better suggestions? That still leaves the default behaviour being broken. I'm not feeling up to the task of redesigning zope.pluggableauth so it wouldn't need to keep a copy of the user's credentials persistently. Any takers? By the way, that would be a nice opportunity to fix a few other Zope3/BlueBream authentication issues: * It's *insanely complicated* to log user logins and logouts, if you need an accurate audit log. Or if you want to count the number of failed login attempts. * It's *insanely complicated* (if not impossible) to try to use your own Principal classes. * The default password hashing and salting scheme (SSHA) used by the principal folder is weak. See http://codahale.com/how-to-safely-store-a-password/ http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-... * The password checking code in zope.password is susceptible to a timing attack. See http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/ Marius Gedminas -- http://pov.lt/ -- Zope 3/BlueBream consulting and development
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marius Gedminas wrote:
So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)?
By "Zope" you mean Zope 3, ZTK, Bluebream ...? Andreas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQGUBAEBAgAGBQJNCmr8AAoJEADcfz7u4AZjECgLwMBt7xcFw/WmgM3I6NtahSTI OOQtb/lfg4MLIO4cpncdaISZCa6+g0JHgluDWNTtwwsP9t2FwAIWW/xSDqh6l8Ex fh0BTd3za2LZBp3p6bkxqFq6PZwEw7kBnEX9T6N0R4dKTeBeKhWl3TGA9dmjlYzI Tmy9nJp2qUN0svhVuRt/Ezvwl3ag36r6v6Hn3XVMGQOkAq4BOuXFeTugnlcSQ9dA FfntsK1USQ7XiIxV/7vYGEiJYgoVAjVFGPzmpSfaIlyKTh/rLpbHn0J+Wom52ARx 1/JvWZ5gE+zkWT6WD+urNtw98wbJsF0LB4IxakahCfagBur/sowLZyKUomcUFRQB EyeW3+9SBL0ZV8Zju4q6iV0SPUkDJUewIfWIpvzi50Tc3SdcwJXl/YKXRk3a1S7P M6yH0fKfxPzwKl5F2Quttul8lI58ZlNX/UCBhbuq+5AoTJL3/+DboiRAqR1BMvcR gz26Seni3bXJPZ4BjIgNsRUPu5cusAA= =f+jf -----END PGP SIGNATURE-----
On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
Marius Gedminas wrote:
So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)?
By "Zope" you mean Zope 3, ZTK, Bluebream ...?
All of the above. More specifically, zope.pluggableauth (and, I assume, zope.app.authentication before that). I haven't looked at Zope 2, sorry. Marius Gedminas -- http://pov.lt/ -- Zope 3/BlueBream consulting and development
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/16/2010 02:58 PM, Marius Gedminas wrote:
On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
Marius Gedminas wrote:
So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)?
By "Zope" you mean Zope 3, ZTK, Bluebream ...?
All of the above. More specifically, zope.pluggableauth (and, I assume, zope.app.authentication before that).
I haven't looked at Zope 2, sorry.
I would venture to say that almost nobody in the Z2 world uses zope.pluggableauth: they use Products.PluggableAuthService or another Z2-specific solution. The SessionAuth plugin for PAS does put the credentials in the session, IIRC. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0KpwwACgkQ+gerLs4ltQ4ZbgCfTIRoADkXyPhBztb9+4VXhwJL CoQAn1LurSsNxxPTLG+wVXPxgsMe8ifZ =E+JK -----END PGP SIGNATURE-----
On 12/17/10 00:55 , Tres Seaver wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/16/2010 02:58 PM, Marius Gedminas wrote:
On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
Marius Gedminas wrote:
So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)?
By "Zope" you mean Zope 3, ZTK, Bluebream ...?
All of the above. More specifically, zope.pluggableauth (and, I assume, zope.app.authentication before that).
I haven't looked at Zope 2, sorry.
I would venture to say that almost nobody in the Z2 world uses zope.pluggableauth: they use Products.PluggableAuthService or another Z2-specific solution.
The SessionAuth plugin for PAS does put the credentials in the session, IIRC.
For Plone we use plone.session to manage authentication sessions. plone.session does not require any ZODB writes or storing of passwords, plaintext or otherwise. It is probably portable to zope.pluggableauth. Wichert.
Am 16.12.2010 um 20:58 schrieb Marius Gedminas:
On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
Marius Gedminas wrote:
So, did you know that by default Zope stores a copy of every user's username and password in your ZODB, in plain text, on every login that uses forms and sessions (rather than HTTP basic auth)?
By "Zope" you mean Zope 3, ZTK, Bluebream ...?
All of the above. More specifically, zope.pluggableauth (and, I assume, zope.app.authentication before that).
I never understood why you would want to store the credentials in the session at all (AFAIK not necessarily in your app's ZODB in case you use a RAM based session storage). Besides storing passwords in your session Zope 3's and probably also Bluebream's PAU authenticate the user on each request. That might not be a problem if you use a local principal folder, but if you authenticate against an external authentication source, e.g. LDAP, you probably don't want to contact it on each request. For our apps we modified the PAU (plugins) to store the authenticated principal in the session instead of the credentials. The only possible disadvantage I can think of is that you can't lock out a user until its session is invalidated. Regards, Markus Kemmerling
participants (5)
-
Andreas Jung -
Marius Gedminas -
Markus Kemmerling -
Tres Seaver -
Wichert Akkerman