coder / code-server

VS Code in the browser
https://coder.com
MIT License
68.82k stars 5.65k forks source link

Password hash #2225

Closed LVerneyPEReN closed 3 years ago

LVerneyPEReN commented 4 years ago

Hi,

As far as I understand, the current password setup stores the password as plaintext in the user config file. It would probably be safer to have it stored as a hash and do a hash comparison upon login.

Is this feature already available? Else, would you accept a PR adding this behavior?

Thanks, Best,

code-asher commented 4 years ago

PRs are definitely welcome. I think the best path forward would be to add a hashedPassword option that will take precedence over password if it exists.

nhooyr commented 3 years ago

I don't believe #2409 fully closes this. We need to automatically hash the existing password.

JammSpread commented 3 years ago

Like you type hashedPassword in plaintext and code-server in runtime hashes it?

nhooyr commented 3 years ago

That could be one way to do it but I was confused when I wrote my above comment. This issue is definitely closed. I was thinking we could automatically always convert password in config.yaml to hashedPassword and rewrite the file. However, users need to see the default generated password when they login for the first time. Perhaps we should add something to the CLI to allow specifying the new password, hashing it and then storing it in config.yaml as hashedPassword.

I'm opening a new issue.

edit: nvm, decided against automation here for now. sha256sum is soo easy to use. perhaps we should add an example somewhere in the docs.

JayMBS commented 3 years ago

I'm attempting to follow the instructions to use a hashed password, however it does not appear to be working for me on: v3.8.0 with Ubuntu 18.04.04

From the FAQ: https://github.com/cdr/code-server/blob/v3.8.0/doc/FAQ.md#can-i-store-my-password-hashed

it states to literally use "hashed-password" instead of "password". From the PR (https://github.com/cdr/code-server/pull/2409/files) I see reference to "hashedPassword" instead - (unknown if that is relevant). What I can say is I have tried the following combinations in the config file and restarted the service each time, none seem to work for me. (I must be missing something, but in any case the FAQ does not explicitly say which "password" to change, the password field name, the auth field value, or just the password field value. FYI, changing just the password value does not work either, but it does allow me to use the hashed value to log in with, which obviously is not what I want. Help?

bind-addr: auth: password password: cert: false

bind-addr: auth: hashed-password password: cert: false

bind-addr: auth: password hashed-password: cert: false

bind-addr: auth: hashed-password hashed-password: cert: false

bind-addr: auth: hashedPassword password: cert: false

bind-addr: auth: hashedPassword hashedPassword: cert: false

bind-addr: auth: hashed-password hashedPassword: cert: false

bind-addr: auth: hashedPassword hashed-password: cert: false

SPGoding commented 3 years ago
bind-addr: IP:Port
auth: password
hashed-password: <Hashed_Password>
cert: false

This is the one that should work. They changed it from hashedPassword to hashed-password in #2454.

No idea why that didn't work for you though :confused:

JayMBS commented 3 years ago

I have changed it as you have shown above and after restarting the service it does not work. I'm also using the exact sha256sum command with my own password (with and without double-quotes). Is there a log or something I can look in/check?

hgw77 commented 3 years ago

hey, I have the same issue, using HASHED_PASSWORD as env variable. When I try to logon it says Please log in below. Password was set from $HASHED_PASSWORD. but the password is not working

I create my hashed password with echo "dev" | sha256sum | cut -d' ' -f1

Using the offical docker image /codercom/code-server:3.8.0

JayMBS commented 3 years ago

Thank you for validating that I'm not completely crazy. :) - Could anyone else confirm this and a possible fix?

SPGoding commented 3 years ago

Use printf instead of echo. echo contains a new line character at the end of its output.

hgw77 commented 3 years ago

ahhhh, yes that makes sense ;-) echo -n should also solve the problem (-n, Do not output a newline)

nhooyr commented 3 years ago

echo -n isn't portable!

BorysNie commented 1 year ago

printf "password" | sha256sum | cut -d' ' -f1

Works for myself and make sure to quote the HASHED_PASSWORD=''

Huge commented 1 month ago

I'm just feeling it might be useful for people confused about this if I link the current doc: https://github.com/coder/code-server/blob/main/docs/FAQ.md#can-i-store-my-password-hashed

Generate the hash with:

echo -n "thisismypassword" | npx argon2-cli -e  # should output something like:
$argon2i$v=19$m=4096,t=3,p=1$wst5qhbgk2lu1ih4dmuxvg$ls1alrvdiwtvzhwnzcm1dugg+5dto3dt1d5v9xtlws4
# Replace thisismypassword with your actual password and remember to put it inside quotes!