The deprecation of MD5 can be done in a graceful fashion with the following scheme:
We add a Authenticator which can take plaintext password and add it after the MD5 authenticator. Anyone who is already using the MD5 password in API will continue to function as they are now. Anyone upgrading is not affected. Any new integrator/cloudstack user can start using plaintext password in API without issues, as there is a plaintext authenticator in the chain. Again the use of SSL ensures channel security and keeps the password safe as is done by countless other websites taking plaintext passwords from the users. With plaintext passwords cloudstack can now seamlessly work with external authentication systems as well. With this we do not need a new parameter too, probably a warning in the logs saying that this is going to be deprecated soon. -Abhi -----Original Message----- From: Kevin Kluge [mailto:kevin.kl...@citrix.com] Sent: Monday, April 30, 2012 9:30 PM To: Will Chan; cloudstack-dev@incubator.apache.org Subject: RE: user credntials This means the client has to figure out whether to send MD5 hash or cleartext on a per-cloud basis. That seems unreasonable. Why don't we just send plain text passwords and expect the use of SSL? We'd have to add a new parameter and deprecate the current MD5 hash password. -kevin > -----Original Message----- > From: Will Chan > Sent: Saturday, April 28, 2012 4:39 PM > To: cloudstack-dev@incubator.apache.org; Kevin Kluge > Subject: RE: user credntials > > The service provider (or whomever is hosting CloudStack) needs to make > that decision. Using the default CS installation, we default to the > MD5UserAuthenticator which requires passwords passed to the login > command to be MD5 hashed. This got changed to plain-text in 3.0 and > must be reverted back to MD5 in 3.0.2 when the upgrade patch is > released or anyone upgrading could get affected. > > If the service/hosting provider wants to use a different hashing > algorithm - > OR- none, he can create or configure CS to use that adapter. However, > they are responsible for informing their customer. > > Will > > ________________________________________ > From: Abhinandan Prateek [abhinandan.prat...@citrix.com] > Sent: Saturday, April 28, 2012 3:28 PM > To: Kevin Kluge; cloudstack-dev@incubator.apache.org > Subject: RE: user credntials > > The use of plaintext passwords in API is required for only those > cloudstack users who wish to use an external authentication mechanism > and will be documented. > The support for the encoded password has to be kept as is due to > existing users of cloudstack. > > > -----Original Message----- > From: Kevin Kluge > Sent: Sunday, April 29, 2012 1:09 AM > To: Abhinandan Prateek; cloudstack-dev@incubator.apache.org > Subject: RE: user credntials > > How would an API client know to use cleartext or MD5 hash? > > > > -----Original Message----- > > From: Abhinandan Prateek > > Sent: Saturday, April 28, 2012 7:56 AM > > To: Kevin Kluge; cloudstack-dev@incubator.apache.org > > Subject: RE: user credntials > > > > In 2.2.* we were passing MD5 encoded password via UI. For Acton it > > changed to unencrypted password as that was the only way to have > > external systems to authenticate cloudstack users for example > > external > LDAP. > > This is being reverted back to MD5 encoded password in 3.0.2 as it > > was. It will be left to the admin to configure this encryption > > mechanism in case LDAP is in use. > > > > -Abhi > > > > -----Original Message----- > > From: Kevin Kluge > > Sent: Saturday, April 28, 2012 8:16 PM > > To: Abhinandan Prateek; cloudstack-dev@incubator.apache.org > > Subject: RE: user credntials > > > > Abhi, is this a backwards incompatible API change? Also, what does it > mean > > for upgrade? > > > > I thought we always sent MD5 hashed passwords from UI to MS. Can > > you explain the change a bit more? > > > > -kevin > > > > > -----Original Message----- > > > From: Abhinandan Prateek > > > Sent: Saturday, April 28, 2012 12:14 AM > > > Subject: user credntials > > > > > > Team, > > > There has been a change in the way passwords are being passed > > > from the cloudstack UI. In case you have difficulty login with > > > the new 3.* build, clear your browser cache. If you are using API > > > to login then you need to provide > > > MD5 encrypted passwords to login instead of plaintext. In case you > > > still have issues drop me an email. > > > -Abhi
