Bug 1874322 - openshift/oauth-proxy: htpasswd using SHA1 to store credentials
Summary: openshift/oauth-proxy: htpasswd using SHA1 to store credentials
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.6.z
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.8.0
Assignee: Standa Laznicka
QA Contact: liyao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-01 03:28 UTC by Mark Cooper
Modified: 2021-07-27 22:33 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Allow using bcrypt to hash passwords for oauth-proxy htpasswd files Reason: The oauth-proxy is currently only allowing the use of the SHA1-hashed passwords in an htpasswd file that can be supplied to it by options. Result: The oauth-proxy now also allows using bcrypt-hashed password in the supplied htpasswd files.
Clone Of:
Environment:
Last Closed: 2021-07-27 22:32:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oauth-proxy pull 186 0 None open Bug 1874322: add bcrypt as a supported hashing method for htpasswd passwords 2021-02-04 07:45:20 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:33:19 UTC

Description Mark Cooper 2020-09-01 03:28:29 UTC
Description of problem:

Coverity scanner has detected the use of SHA1 in the oauth-proxy repository:
https://github.com/openshift/oauth-proxy/blob/20bf8e702b98b228dde09a48ae0dbeb14a73d591/htpasswd.go#L45

After talking with @slaznick, it's confirmed that this just allows administrators to add additional users on top of the normal OpenShift ones. 


So whilst a low priority, it would be good to eventually get this updated to use something like bcrypt instead (I think that's the best we can do here) especially given that https://httpd.apache.org/docs/2.4/misc/password_encryptions.html lists SHA1 as no longer secure. The motivation here would be at least from a compliance angle, i.e. potentially storing passwords as SHA1. 



Additional info:

Comment 2 Michal Fojtik 2020-10-01 03:51:14 UTC
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that.

Comment 3 Standa Laznicka 2020-10-01 07:31:26 UTC
Removing LifecycleStale, I just did not get to it yet

Comment 16 errata-xmlrpc 2021-07-27 22:32:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.