thrift-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Chung <geo...@glympse.com>
Subject Re: username/password - security in Apache Thrift
Date Wed, 25 Sep 2013 20:17:46 GMT
Is your concern that you don't want your server side to even handle a
cleartext password? Yes, there are possible attacks against that type of
auth scheme that protocols such as Kerberos, CHAP, etc. mitigate. But
unfortunately, they are not integrated into Thrift.


On Wed, Sep 25, 2013 at 1:12 PM, George Chung <george@glympse.com> wrote:

> and I think there must be a way to layer in something that knows how to
>> use the local password file or LDAP or whatever.
>
>
> Certainly those mechanisms must have APIs to validate the un/pw that you
> received over the wire. Those APIs would return true or false. And if they
> return true, they might return a blob of additional data about the
> authenticated user.
>
>
>
>> The last thing I want to do is authenticate the password myself, because
>> I'm sure whatever I came up with would not be "secure" by any reasonably
>> thorough definition of security.
>
>
> Regardless of whether you roll your own or delegate the responsibility to
> some other service (via an api), your server side is going to handle the un
> and cleartext pw and ask some service to validate the combination.
>
>
> On Wed, Sep 25, 2013 at 1:01 PM, Craig Artley <cartley@hotmail.com> wrote:
>
>> I guess I am not that clever; I need an example or how-to. I would like
>> to add password authentication to a thrift service, and I think there must
>> be a way to layer in something that knows how to use the local password
>> file or LDAP or whatever. The last thing I want to do is authenticate the
>> password myself, because I'm sure whatever I came up with would not be
>> "secure" by any reasonably thorough definition of security.
>>
>> Thanks for the pointers on TLS-SRP.  I'll take a look and see if I can
>> figure it out.
>>
>>   -craig
>>
>> > Date: Wed, 25 Sep 2013 12:09:00 -0700
>> > Subject: Re: username/password - security in Apache Thrift
>> > From: george@glympse.com
>> > To: user@thrift.apache.org
>> >
>> > And it's worth noting that authentication via client side certs is a
>> > "standard, reliable, vetted mechanism" that is already layered into
>> Thrift
>> > via its support for SSL.
>> >
>> > un/pw authentication is typically considered an application layer
>> concern.
>> > I've not heard of TLS-SRP until now...that's cool!
>> >
>> >
>> > On Wed, Sep 25, 2013 at 11:11 AM, Ben Craig <bencraig@apache.org>
>> wrote:
>> >
>> > > > Does the thrift user have to build all the user authentication into
>> > > > the protocol? It seems like there should be some standard, reliable,
>> > > > vetted mechanism that could be layered into Thrift.
>> > >
>> > > Sending a username and password over an SSL connection is a very
>> common
>> > > pattern.  It is difficult for Thrift to do "everything" here, because
>> > > Thrift doesn't have access to whatever the backing database is that
>> stores
>> > > the usernames and passwords.
>> > >
>> > > If you are looking for something that uses the username and password
>> as
>> > > the only forms of authentication (in lieu of certificates), then you
>> > > should investigate TLS-SRP (http://en.wikipedia.org/wiki/TLS-SRP).
>>  You
>> > > would likely need to create a new transport class to wrap TLS-SRP.
>> > >
>>
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message