Skip to content

Constant time password comparison #81152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 8, 2019
Merged

Constant time password comparison #81152

merged 1 commit into from
Aug 8, 2019

Conversation

tedyu
Copy link
Contributor

@tedyu tedyu commented Aug 8, 2019
edited by liggitt
Loading

What type of PR is this?
/kind bug

What this PR does / why we need it:
This PR uses constant time password comparison to fix issue #81126

Which issue(s) this PR fixes:
fixes #81126

kube-apiserver: the `--basic-auth-file` flag and authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 8, 2019
@k8s-ci-robot k8s-ci-robot requested review from jianhuiz and sttts August 8, 2019 04:41
@liggitt
Copy link
Member

liggitt commented Aug 8, 2019

needs bazel update. also should mark the --basic-auth-file parameter deprecated before the referenced issue is completely closed

@liggitt
Copy link
Member

liggitt commented Aug 8, 2019

add something like this to where the flag is registered:

fs.MarkDeprecated("basic-auth-file", "Basic authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.")

@tedyu
Copy link
Contributor Author

tedyu commented Aug 8, 2019

@liggitt
Deprecation has been added.

@tedyu
Copy link
Contributor Author

tedyu commented Aug 8, 2019

/test pull-kubernetes-integration

@tedyu
Copy link
Contributor Author

tedyu commented Aug 8, 2019

/test pull-kubernetes-e2e-gce

@tedyu
Copy link
Contributor Author

tedyu commented Aug 8, 2019

/test pull-kubernetes-e2e-gce-100-performance

@liggitt
Copy link
Member

liggitt commented Aug 8, 2019

cc @kubernetes/sig-api-machinery-api-reviews @kubernetes/sig-auth-api-reviews for marking the --basic-auth-file flag as deprecated

@k8s-ci-robot k8s-ci-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Aug 8, 2019
@liggitt
Copy link
Member

liggitt commented Aug 8, 2019

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 8, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tedyu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 8, 2019
@fejta-bot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

lavalamp
lavalamp reviewed Aug 8, 2019
View reviewed changes
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go
@@ -85,7 +86,7 @@ func (a *PasswordAuthenticator) AuthenticatePassword(ctx context.Context, userna
if !ok {
return nil, false, nil
}
if user.password != password {
if subtle.ConstantTimeCompare([]byte(user.password), []byte(password)) == 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

arghghghgh

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

translation: incoherent despair that we could possibly have had such a bug in 2019

We also don't salt+hash the plain text passwords in the csv file, sigh...

@liggitt
Copy link
Member

liggitt commented Aug 8, 2019

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 8, 2019
@liggitt
Copy link
Member

liggitt commented Aug 8, 2019

incoherent despair that we could possibly have had such a bug in 2019

great :)
/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 8, 2019
@k8s-ci-robot k8s-ci-robot merged commit f4e39af into kubernetes:master Aug 8, 2019
@k8s-ci-robot k8s-ci-robot added this to the v1.16 milestone Aug 8, 2019
@cji cji mentioned this pull request Aug 8, 2019
Closed
@tallclair
Copy link
Member

We should be more specific about the deprecation timeline. I think the standard for flags is 2 releases, which puts removal at 1.18?

@jberkus
Copy link

jberkus commented Aug 13, 2019

@tallclair @liggitt the deprecation notice doesn't make it clear what we're replacing --basic-auth with for development/troubleshooting purposes, nor when we're replacing it. Shouldn't actual removal be dependent on having a replacement first?

@mikedanese
Copy link
Member

We have the static token authenticator to replace this with.

@cji cji mentioned this pull request Aug 15, 2019
Open
rfranzke added a commit to gardener/gardener that referenced this pull request Sep 19, 2019
@rfranzke
Disable kube-apiserver basic auth by default for 1.16 shoots
a4e0d03 
Basic authentication is deprecated as of Kubernetes 1.16 and will be
removed in the future. Consequently, let's not enable it by default for
new 1.16 shoots anymore. We will completely remove it in the future as
well. We have to inform end-users that they have to migrate.

See kubernetes/kubernetes#81152
rfranzke added a commit to gardener/gardener that referenced this pull request Sep 19, 2019
@rfranzke
Disable kube-apiserver basic auth by default for 1.16 shoots
3bf4fc7 
Basic authentication is deprecated as of Kubernetes 1.16 and will be
removed in the future. Consequently, let's not enable it by default for
new 1.16 shoots anymore. We will completely remove it in the future as
well. We have to inform end-users that they have to migrate.

See kubernetes/kubernetes#81152
rfranzke added a commit to gardener/gardener that referenced this pull request Sep 19, 2019
@rfranzke
Disable kube-apiserver basic auth by default for 1.16 shoots
149d2b4 
Basic authentication is deprecated as of Kubernetes 1.16 and will be
removed in the future. Consequently, let's not enable it by default for
new 1.16 shoots anymore. We will completely remove it in the future as
well. We have to inform end-users that they have to migrate.

See kubernetes/kubernetes#81152
rfranzke added a commit to gardener/gardener that referenced this pull request Sep 19, 2019
@rfranzke
Disable kube-apiserver basic auth by default for 1.16 shoots
1fa3a7d 
Basic authentication is deprecated as of Kubernetes 1.16 and will be
removed in the future. Consequently, let's not enable it by default for
new 1.16 shoots anymore. We will completely remove it in the future as
well. We have to inform end-users that they have to migrate.

See kubernetes/kubernetes#81152
rfranzke added a commit to rfranzke/gardener that referenced this pull request Sep 19, 2019
@rfranzke
Disable kube-apiserver basic auth by default for 1.16 shoots
24657ba 
Basic authentication is deprecated as of Kubernetes 1.16 and will be
removed in the future. Consequently, let's not enable it by default for
new 1.16 shoots anymore. We will completely remove it in the future as
well. We have to inform end-users that they have to migrate.

See kubernetes/kubernetes#81152
rfranzke added a commit to gardener/gardener that referenced this pull request Sep 19, 2019
@rfranzke
Disable kube-apiserver basic auth by default for 1.16 shoots
3361798 
Basic authentication is deprecated as of Kubernetes 1.16 and will be
removed in the future. Consequently, let's not enable it by default for
new 1.16 shoots anymore. We will completely remove it in the future as
well. We have to inform end-users that they have to migrate.

See kubernetes/kubernetes#81152
rfranzke added a commit to rfranzke/gardener that referenced this pull request Sep 19, 2019
@rfranzke
Disable kube-apiserver basic auth by default for 1.16 shoots
65b1fd5 
Basic authentication is deprecated as of Kubernetes 1.16 and will be
removed in the future. Consequently, let's not enable it by default for
new 1.16 shoots anymore. We will completely remove it in the future as
well. We have to inform end-users that they have to migrate.

See kubernetes/kubernetes#81152
rfranzke added a commit to gardener/gardener that referenced this pull request Sep 20, 2019
@rfranzke
Disable kube-apiserver basic auth by default for 1.16 shoots
5be1f2a 
Basic authentication is deprecated as of Kubernetes 1.16 and will be
removed in the future. Consequently, let's not enable it by default for
new 1.16 shoots anymore. We will completely remove it in the future as
well. We have to inform end-users that they have to migrate.

See kubernetes/kubernetes#81152
alexellis added a commit to openfaas/faas-provider that referenced this pull request Oct 12, 2019
@alexellis
Compare basic-auth with constant time
9fb3a06 
A third-party security audit of Kubernetes found this issue
in the way they validated basic auth credentials. This change
implements the same check for the basic-auth plugin.

kubernetes/kubernetes#81152

Other plugins are also available such as OAuth2 / OIDC for
the OpenFaaS gateway.

The WWW-Authenticate realm was being set even when auth passed,
this was unnecessary and has been configured to only be set
when auth is required or the header is missing.

Tested with additional unit tests.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
@alexellis alexellis mentioned this pull request Oct 12, 2019
Merged
@alexellis
Copy link

@mikedanese do you have a link to the static token authenticator for reference?

alexellis added a commit to openfaas/faas-provider that referenced this pull request Oct 14, 2019
@alexellis
Compare basic-auth with constant time
8699aa7 
A third-party security audit of Kubernetes found this issue
in the way they validated basic auth credentials. This change
implements the same check for the basic-auth plugin.

kubernetes/kubernetes#81152

Other plugins are also available such as OAuth2 / OIDC for
the OpenFaaS gateway.

The WWW-Authenticate realm was being set even when auth passed,
this was unnecessary and has been configured to only be set
when auth is required or the header is missing.

Tested with additional unit tests.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
@enj enj mentioned this pull request Mar 11, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@jianhuiz jianhuiz Awaiting requested review from jianhuiz

@sttts sttts Awaiting requested review from sttts

+1 more reviewer

@lavalamp lavalamp lavalamp left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
v1.16
Development

Successfully merging this pull request may close these issues.

ATR-K8S-002: Non-constant time password comparison
9 participants
@tedyu @liggitt @k8s-ci-robot @fejta-bot @tallclair @jberkus @mikedanese @alexellis @lavalamp