search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.35k stars 1.06k forks source link

Password secret has no effect #2328

Closed alpha-centauri closed 8 years ago

alpha-centauri commented 8 years ago

Problem description

The password secret / pepper (password_secret in graylog.conf) seems to have no effect. After changing its value, it is still possible to authenticate as a local user whose password had been hashed with the old password secret.

Steps to reproduce the problem

  1. Choose some password_secret x and start the server.
  2. Create a local user.
  3. Choose a different password_secret y and restart the server.
  4. Try to log in as the user created in step 2.

Result: Authentication for that user still works. Actually, it is expected to fail because the password hash should be different when using a different password secret.

Environment

joschi commented 8 years ago

@alpha-centauri The password secret isn't being used to hash user passwords.

See https://github.com/Graylog2/graylog2-server/blob/2.0.2/graylog2-server/src/main/java/org/graylog2/security/hashing/BCryptPasswordAlgorithm.java for the actual password hashing algorithm being used.