-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Broker does not accept PBKDF2_SHA512 digests that contain .
character in them
#2847
Comments
SolutionAs mentioned by Roger Light in the Mailing List, it turns out that when using The adapted solution for the from passlib.hash import pbkdf2_sha512
digest = pbkdf2_sha512.using(salt_size=12, rounds=101).hash('testing')
if '.' in digest:
print("shortened Base64 detected")
digest = digest.replace('pbkdf2-sha512', '7').replace('.', '+') + '=='
print(digest) TestsGenerating two digests (one including
the broker accepts the credentials
And one is able to connect to the broker |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Environment
docker
Problem
This seems to be a strange behavior where a PBKDF2_SHA512 digest generated from an external tool should in theory accept the password but the Broker rejects it particularly when it comes have
.
character in the digest.Reproduction
I am using Python's passlib package which offers a simple wrapper over the PBKDF2_SHA512 HMAC logic using simple function APIs.
The package can simply be downloaded using
pip install passlib
on a system (current and stable version is 1.7.4)Digest Generator Script
generator.py
the script replicates the logic of generating digest for a plain-text-password called:
testing
. It also sets the salt size of 12 and iteration rounds of 101 in order to comply with the Brokers decryption logic.In order to generate simply execute:
Generating Digests
for the
testing
password I have generated some digest:two with
.
in the digest:one without
.
in the digest:Broker's
users
fileadd the hashed passwords in a
users
file as follows:Broker's
conf
fileSpin a Docker container
Broker Output logs
Results
As observed any digests with
.
character in them are thrown out and only digests without them are accepted by the broker. This is also checked via connecting to the broker the with credentials below in the GIF.The text was updated successfully, but these errors were encountered: