Open phil-r opened 1 month ago
Looks like this bug should just be "£" cannot be used in a password. Do you have other characters that don't work?
Are you sure you didn't inherit a previous container?
Hey @dblock! thanks for reply.
I've just tested with €
, ™
, ©
and à
- it's the same problem, but using e.g. $
works fine.
Issue can be reproduced on both new and existing container
Moving this issue to security repo.
[Triage] Hi @phil-r thank you for filing this issue. This is currently the expected behavior based on the allowed password rules. However, we can use this issue as a request to expand the rules to allow non-standard special characters.
Hey @scrawfor99, thanks for taking a look into this, I believe there are 2 ways to solve this:
OPENSEARCH_INITIAL_ADMIN_PASSWORD
that contains unsupported special characters should fail (like how it does if you set a weak password)Hi @phil-r if you want to change the password validation regex you can use the settings found here: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/support/ConfigConstants.java#L279
Otherwise the password is validated against: https://github.com/opensearch-project/security/blob/1d1b1ed7bb0d0c99e693c3571231d1f2b8b7cb7c/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java#L147
Hi @phil-r , as you can see the default value for regex used for admin password validation is this.
I did some further digging and it seems like password validation seems to be failing when using OpenBSDCrypt's checkPassword method. Will need some diving deep to understand the working of this method. It could be as simple as standard encoding recognition issue.
These are the logs from InternalAuthenticationBackend.java class just before OpenBSDCrypt.checkPassword() is executed.
opensearch-node1 | [2024-06-17T19:10:04,468][DEBUG][o.o.s.a.i.InternalAuthenticationBackend] [opensearch-node1] array: 01982374£Abvfivb
opensearch-node1 | [2024-06-17T19:12:40,607][DEBUG][o.o.s.a.i.InternalAuthenticationBackend] [opensearch-node1] Hash: $2y$12$m4cac6aU4Tqra/vuezrbNuxGH5tWf17AGsa2NIUR601BYlHTFiZdG
Describe the bug
Using a
£
in a password makes it impossible to authenticateRelated component
Other
To Reproduce
Following this docs
And then
Will respond with
Unauthorized
But running
And then
Works!
Expected behavior
Get a proper response when using a
£
symbol in the password, like :Additional Details
Plugins None
Screenshots
Password with pound sign
Password without pound sign
Host/Environment (please complete the following information):
756d2401537847f8bfb158a02a649a46adf7e7d15303a3692ed3d76586189d12
)Additional context Setting password is really frustrating, sometimes it asks for special symbol, but you can skip setting it and it lets you through, behaviour is really unpredictable