search

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
181 stars 264 forks source link

[BUG] cannot use £ in a password #4379

Open phil-r opened 1 month ago

phil-r commented 1 month ago

Describe the bug

Using a £ in a password makes it impossible to authenticate

Related component

Other

To Reproduce

Following this docs

docker pull opensearchproject/opensearch:latest
docker run -d -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=01982374£Abvfivb" opensearchproject/opensearch:latest

And then

 curl https://localhost:9200 -ku 'admin:01982374£Abvfivb'

Will respond with Unauthorized

But running 

docker pull opensearchproject/opensearch:latest
docker run -d -p 9200:9200 -p 9600:9600 -e "discovery.type=single-node" -e "OPENSEARCH_INITIAL_ADMIN_PASSWORD=01982374Abvfivb" opensearchproject/opensearch:latest

And then

 curl https://localhost:9200 -ku 'admin:01982374Abvfivb'

Works!

Expected behavior

Get a proper response when using a £ symbol in the password, like :

{
  "name" : "56a871697249",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "uPEiXZdCRmW8FvYr9K4GZQ",
  "version" : {
    "distribution" : "opensearch",
    "number" : "2.14.0",
    "build_type" : "tar",
    "build_hash" : "aaa555453f4713d652b52436874e11ba258d8f03",
    "build_date" : "2024-05-09T18:51:00.973564994Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

Additional Details

Plugins None

Screenshots

Password with pound sign

image

Password without pound sign

image

Host/Environment (please complete the following information):

Additional context Setting password is really frustrating, sometimes it asks for special symbol, but you can skip setting it and it lets you through, behaviour is really unpredictable

dblock commented 1 month ago

Looks like this bug should just be "£" cannot be used in a password. Do you have other characters that don't work?

Are you sure you didn't inherit a previous container?

phil-r commented 1 month ago

Hey @dblock! thanks for reply.

I've just tested with , , © and à - it's the same problem, but using e.g. $ works fine.

Issue can be reproduced on both new and existing container

gaiksaya commented 1 month ago

Moving this issue to security repo.

scrawfor99 commented 1 month ago

[Triage] Hi @phil-r thank you for filing this issue. This is currently the expected behavior based on the allowed password rules. However, we can use this issue as a request to expand the rules to allow non-standard special characters.

phil-r commented 2 weeks ago

Hey @scrawfor99, thanks for taking a look into this, I believe there are 2 ways to solve this:

  1. starting opensearch with OPENSEARCH_INITIAL_ADMIN_PASSWORD that contains unsupported special characters should fail (like how it does if you set a weak password)
  2. special characters should be supported when you try to login
scrawfor99 commented 2 weeks ago

Hi @phil-r if you want to change the password validation regex you can use the settings found here: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/support/ConfigConstants.java#L279

Otherwise the password is validated against: https://github.com/opensearch-project/security/blob/1d1b1ed7bb0d0c99e693c3571231d1f2b8b7cb7c/src/main/java/org/opensearch/security/tools/democonfig/SecuritySettingsConfigurer.java#L147

DarshitChanpura commented 2 weeks ago

Hi @phil-r , as you can see the default value for regex used for admin password validation is this.

I did some further digging and it seems like password validation seems to be failing when using OpenBSDCrypt's checkPassword method. Will need some diving deep to understand the working of this method. It could be as simple as standard encoding recognition issue.

These are the logs from InternalAuthenticationBackend.java class just before OpenBSDCrypt.checkPassword() is executed.

opensearch-node1  | [2024-06-17T19:10:04,468][DEBUG][o.o.s.a.i.InternalAuthenticationBackend] [opensearch-node1] array: 01982374£Abvfivb
opensearch-node1  | [2024-06-17T19:12:40,607][DEBUG][o.o.s.a.i.InternalAuthenticationBackend] [opensearch-node1] Hash: $2y$12$m4cac6aU4Tqra/vuezrbNuxGH5tWf17AGsa2NIUR601BYlHTFiZdG