Re: [thredds] Hashed password for tomcat-users.xml is not consistent so unable to login

To: Julien Chastang <chastang@xxxxxxxx>, Sean Arms <sarms@xxxxxxxx>
Subject: Re: [thredds] Hashed password for tomcat-users.xml is not consistent so unable to login
From: "Vu , Long" <vu.long@xxxxxxxxxx>
Date: Fri, 20 Sep 2019 19:00:17 +0000
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ouranos.ca; dmarc=pass action=none header.from=ouranos.ca; dkim=pass header.d=ouranos.ca; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IbzlIUEYJTno3O0Q9A78rwFQj48LBegsqDq+Yh6Fpa8=; b=BpMnho+3IaIqfeUDZSxEYBreWBzEMp9NxxKPffeiZPc7wQowhn0l3/Qa7fih5MHetpuuRT5ffarBZQRIRIb0dtX8SewNw9BSMv5HjC3QggEvtNTAUcoUIMOGSQMDfADJhm9PaagnNOW5j36dNlEG0+yvTAdAPLqxHfCqs00SgzDJBTVsEFfkAslEf43vfg3jDcf1lMjnhEfSj2emNzn0lLc9Lr2h1pKnvXDogd2S2WBwHt4rp/HEY48jeBN9/9VIVDjCdDKURkVyYd4U3Ur3GMP0FLXV+ER6hL0rTGJaCkF//+52X0q/dHP9tkoxByNU4KNmb5fPIV3fRF5PX0JaZQ==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KM3FODDqZyvB27L0uemJELG74+YenUFyJgBJQRfuaQvm3t4iSormi/E90Lzu1KuNWrx+4Ead8OtJH6l12u4VlbDrUHbEJqGmwcdsUCxrMnK4D7hqmOeBGXWhd3xsalIbw/0xMMmMgGFQqI1OdvC9U/SPm/zHdwxzMpnVY9hvfCLMDowRZVsOuiK4OB/s1TlA8jvg/FyPWGZWvmWMXbM6mIsD/gf61Ts7f1BT4ERBQXbcRj7ZRz48tHySS9aOi984HIxZjYbt6QhfVN3RiRG8cWZd9vUkOdR2WMrkBImOexEbrIdrTec7z6N9m+2YJ5HNImCuv4CWEPCRNVOLehoMQQ==
Authentication-results: spf=none (sender IP is ) smtp.mailfrom=vu.long@xxxxxxxxxx;

I made a typo in the "massaged" URL but I confirm I can access the 
admin/debug page with the default password "admin" from the docker image 
unidata/thredds-docker:4.6.14 via http (unsecured), no redirect observed.

Also the admin password hash from the stock tomcat-users.xml in the 
docker image is like this

   <user username="admin"
         password="d033e22ae348aeb5660fc2140aec35850c4da997"
         roles="tdsConfig,tdsMonitor"/>

The hash is much shorter than when generated following the instructions 
for the same password "admin".

Long


-------- Original Message --------
From: Julien Chastang <chastang@xxxxxxxx>
Subject: [thredds] Hashed password for tomcat-users.xml is not 
consistent so unable to login
Date: Friday, September 20, 2019, 13:41
To: Sean Arms <sarms@xxxxxxxx>
Cc: Vu , Long <vu.long@xxxxxxxxxx>, thredds@xxxxxxxxxxxxxxxx 
<thredds@xxxxxxxxxxxxxxxx>

It is thredds *NOT* thedds. See typos above. Maybe that is the confusion
here.

For background info, see this article on password hashing and salting:
https://auth0.com/blog/hashing-passwords-one-way-road-to-security/

On Fri, Sep 20, 2019 at 11:26 AM Sean Arms <sarms@xxxxxxxx
<mailto:sarms@xxxxxxxx>> wrote:

     Greetings!

     This isn't a bug - what you are seeing are salted, hashed passwords.
     Each time you run the digest script, a different salt is being used,
     so the overall hash changes. The format of the string returned by
     Tomcat's digest.sh is:

     {user}:{salt}${iterations}${digest}

     For more information, see
 
https://tomcat.apache.org/tomcat-8.5-doc/realm-howto.html#Digested_Passwords

     When you try to log into http://<my host>:8080/thedds/admin/debug,
     are you getting redirected to https, because the admin interface to
     the TDS requires that you are accessing it over a secure connection.
     If you are not getting redirected to https://<my host>:8443 or
     similar, that would be why you cannot log into the admin interface.

     Cheers,

     Sean

     On Fri, Sep 20, 2019 at 10:13 AM Vu , Long <vu.long@xxxxxxxxxx
     <mailto:vu.long@xxxxxxxxxx>> wrote:

         Hi,

         I followed instructions here
         https://github.com/Unidata/thredds-docker#h20B33C74 which leads
         to here
         https://github.com/Unidata/tomcat-docker#digested-passwords.

         As you can see below, I tried to hash "admin" 4 times and "super" 3
         times and I am getting completely different result each time.

         Consequently I am unable to login to http://<my
         host>:8080/thedds/admin/debug with the password I have chosen
         because
         probably the hash calculated on server side is different so the
         2 hashes
         did not match !

         What did I do wrong so I should log a bug for this?

         11:47 $ docker run unidata/thredds-docker:4.6.14
         /usr/local/tomcat/bin/digest.sh -a "SHA" admin
 
admin:7e7e81ea10686b0648bffa9edafd0b7f60eacc5145d97dd1d357cbc193060aed$1$ab2c3ddcb23f65a9b6e3f204958dd463336c283f

         12:00 $ docker run unidata/thredds-docker:4.6.14
         /usr/local/tomcat/bin/digest.sh -a "SHA" admin
 
admin:8446588eec143b0decac02be49993bcc56e4b16a4187ce15a2727f267d7f1306$1$e771b647858a86ff580290077b5df357f5c20650

         12:00 $ docker run unidata/thredds-docker:4.6.14
         /usr/local/tomcat/bin/digest.sh -a "SHA" admin
 
admin:ee16b99f11c0eeba71a6a821fba1e8b09f273ab032c13d2ce7ec5eeab2a1e7cc$1$bab5606e5cbb0ae1bca38c0f5bd15d656fe72085

         12:00 $ docker run unidata/thredds-docker:4.6.14
         /usr/local/tomcat/bin/digest.sh -a "SHA" admin
 
admin:4ec71242066de4912869026a017f7ebeb59bdaec4de40ba8ac9ff694229c2084$1$a0c61f7703b080e3bcfcdb2579854df45d2abcdd

         12:00 $ docker run unidata/thredds-docker:4.6.14
         /usr/local/tomcat/bin/digest.sh -a "SHA" super
 
super:f423f534302461b1829891a2e1fcdbf7ffa2c06721a51b3b12cd70695ce4cdec$1$cc6c5d231b0f522c20606139619052fba3f5a257

         12:01 $ docker run unidata/thredds-docker:4.6.14
         /usr/local/tomcat/bin/digest.sh -a "SHA" super
 
super:eace3dbabc0275bd6f5a745eb55b3e3de729e8d835882e4469d066eae1a19f9d$1$7f3e8561201bdac50e328dbc89f9383b5d26d47a

         12:01 $ docker run unidata/thredds-docker:4.6.14
         /usr/local/tomcat/bin/digest.sh -a "SHA" super
 
super:afc94d3d0885e8e81cc02ba26642085563a3edb3f375afe2c0f92068b43610b9$1$b6c57eae754e062469887ecc101df9adbe1a404d
         _______________________________________________
         NOTE: All exchanges posted to Unidata maintained email lists are
         recorded in the Unidata inquiry tracking system and made publicly
         available through the web.  Users who post to any of the lists we
         maintain are reminded to remove any personal information that they
         do not want to be made public.


         thredds mailing list
         thredds@xxxxxxxxxxxxxxxx <mailto:thredds@xxxxxxxxxxxxxxxx>
         For list information or to unsubscribe,  visit:
         https://www.unidata.ucar.edu/mailing_lists/

     _______________________________________________
     NOTE: All exchanges posted to Unidata maintained email lists are
     recorded in the Unidata inquiry tracking system and made publicly
     available through the web.  Users who post to any of the lists we
     maintain are reminded to remove any personal information that they
     do not want to be made public.


     thredds mailing list
     thredds@xxxxxxxxxxxxxxxx <mailto:thredds@xxxxxxxxxxxxxxxx>
     For list information or to unsubscribe,  visit:
     https://www.unidata.ucar.edu/mailing_lists/



-- 
Julien Chastang
Scientific Software Developer
Unidata-UCAR

References:
- [thredds] Hashed password for tomcat-users.xml is not consistent so unable to login
  - From: Vu , Long
- Re: [thredds] Hashed password for tomcat-users.xml is not consistent so unable to login
  - From: Sean Arms
- Re: [thredds] Hashed password for tomcat-users.xml is not consistent so unable to login
  - From: Julien Chastang

2019 messages navigation, sorted by:
1. Thread
2. Subject
3. Author
4. Date
5. ↑ Table Of Contents
Search the thredds archives: