Glacier2 Password Verification Problem in Windows (3.6)

pheiffpheiff Member Stephen PheifferOrganization: NISTProject: NICE

We're in the process of upgrading from ZeroC 3.5 to ZeroC 3.6. We have been using a Glacier2 password file and this worked successfully in RHEL7 and Windows under 3.5. After trying this out in 3.6 I find that it still works in RHEL7, but I now get a PermissionDenied error in Windows when connecting.

Here is what I have tried:
1. I enabled the Null PermissionsVerifier. This worked in Windows and allowed a connection. This doesn't solve the problem, but at least lets me know that the rest of the configuration is probably OK.
2. I tried using the test password file which had previously worked, generated with openssl. This gives a permission denied error on connection. File contents (blank password): mI01znCX.lQew
3. I tried the new password generation program ZeroC provides to hash a blank password. This also gives permission denied. Password hash (for blank password):
$6$rounds=656000$gJ/yqIDFGyzyRtBL$gx4WbPj1DCTriv2Tm9PcMFamS3HySJPlRh3JN2mfLoUl2el7uw1rFOj4EtFwUHuTvTtZv0H/VWwSGWqv3t8Gd1
4. As a test, I tried to install a custom PermissionsVerifier. I got an error that it couldn't find the custom object I created. I couldn't find the demo referenced in the documentation so I gave up on looking at this further.
5. Found a tool to generate "PBKDF2" mentioned in the help. I tried following the suggested format and this also gives a permission denied error.
Password hash (for blank password):
$4ab30d4c9ea089ec3881f6cd31fd3bf0$2$df$

Anyway, what is a good way to generate a password for Windows for ZeroC 3.6? Is there a way to do this such that the same password works in Windows and Linux? Also, could you give me a string, representing a blank password, to put into my password file? This would at least help verify that nothing else is wrong.

Thanks

Best Answers

  • bernardbernard Jupiter, FLBernard NormierOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Accepted Answer

    Hi Stephen,

    We upgraded the Glacier2 "crypt password" hashing in Ice 3.6, as briefly described in the Ice 3.6 Release Notes.

    In Ice 3.5 and prior releases, we used the old DES-crypt password hash on all platforms. In 3.6, we use state-of-art hash functions on all platforms, but we don't use the same hash function on all platforms. As a result, you can't use the same password file (meaning file with hashed passwords) on Linux and Windows. If you are using Glacier2 on Windows with a password file, you need to generate the content of this password file on Windows, preferably by running the icehashpassword Python script on Windows.

    Note that if your Glacier2 client on Windows is connecting to a Glacier2 router on Linux, you don't need a password file on Windows, or to hash passwords on Windows. With Glacier2, the username and password are sent to the Glacier2 router: the Glacier2 router then hashes this password and compares this hash with the entry in its password file.

    The blank-password hash in your post was generated on Linux. On Windows, you would get something like the following for a blank password:
    C:\Users\bernard>icehashpassword Password: $pbkdf2-sha256$20000$/B8DwDin1Nqb03pvTWnNeQ$u1rjdx1rT8Jv6ARoLEXGmJ7YdVo2wGvPhrU3/tbbZyU

    (you'll get a different hash if you try yourself as the salt is random data).

    Is there a way to do this such that the same password works in Windows and Linux?

    You can use the same password on Linux and Windows, but not the same passwords file since the hashes are platform-dependent.

    As a test, I tried to install a custom PermissionsVerifier. I got an error that it couldn't find the custom object I created. I couldn't find the demo referenced in the documentation so I gave up on looking at this further.

    The Glacier2 simpleChat demo uses a custom permission verifier:
    https://github.com/zeroc-ice/ice-demos/tree/3.6/cpp/Glacier2/simpleChat

    However, I could not find where we (mis)link it in the manual - can you provide the page? We'd like to fix this bug.

    All the best,
    Bernard

  • pheiffpheiff Stephen PheifferOrganization: NISTProject: NICE
    Accepted Answer

    OK, it sounds like my key misunderstanding is that the same password will have different hashes on Linux and Windows and the icehashpassword program produces different results if run on Windows vs. Linux.

    In our case we sometimes run production servers in Linux, but run testing servers in Windows and Linux . In the past, all test machines used the same password file containing the hash of blank password (there is no need to secure access to the test servers). Moving forward we'll use the NullPermissionsVerifier for all test servers as the blank password cannot be universal any more.

    Thanks for your time/help on this.

    PS.
    As for the link, look in the middle of this page:
    https://doc.zeroc.com/display/Ice36/Securing+a+Glacier2+Router
    There is a section in green which says:
    "A sample implementation of the PermissionsVerifier interface is provided in the demo/Glacier2/callback directory"

    I had gotten as far as the https://github.com/zeroc-ice/ice-demos folder, but it looks like the example name/location have changed. I might be better to give the entire link in case the person doesn't know where the code/project is. I'm sure this is mentioned elsewhere on the website.

Answers

  • bernardbernard Jupiter, FLAdministrators, ZeroC Staff Bernard NormierOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Accepted Answer

    Hi Stephen,

    We upgraded the Glacier2 "crypt password" hashing in Ice 3.6, as briefly described in the Ice 3.6 Release Notes.

    In Ice 3.5 and prior releases, we used the old DES-crypt password hash on all platforms. In 3.6, we use state-of-art hash functions on all platforms, but we don't use the same hash function on all platforms. As a result, you can't use the same password file (meaning file with hashed passwords) on Linux and Windows. If you are using Glacier2 on Windows with a password file, you need to generate the content of this password file on Windows, preferably by running the icehashpassword Python script on Windows.

    Note that if your Glacier2 client on Windows is connecting to a Glacier2 router on Linux, you don't need a password file on Windows, or to hash passwords on Windows. With Glacier2, the username and password are sent to the Glacier2 router: the Glacier2 router then hashes this password and compares this hash with the entry in its password file.

    The blank-password hash in your post was generated on Linux. On Windows, you would get something like the following for a blank password:
    C:\Users\bernard>icehashpassword Password: $pbkdf2-sha256$20000$/B8DwDin1Nqb03pvTWnNeQ$u1rjdx1rT8Jv6ARoLEXGmJ7YdVo2wGvPhrU3/tbbZyU

    (you'll get a different hash if you try yourself as the salt is random data).

    Is there a way to do this such that the same password works in Windows and Linux?

    You can use the same password on Linux and Windows, but not the same passwords file since the hashes are platform-dependent.

    As a test, I tried to install a custom PermissionsVerifier. I got an error that it couldn't find the custom object I created. I couldn't find the demo referenced in the documentation so I gave up on looking at this further.

    The Glacier2 simpleChat demo uses a custom permission verifier:
    https://github.com/zeroc-ice/ice-demos/tree/3.6/cpp/Glacier2/simpleChat

    However, I could not find where we (mis)link it in the manual - can you provide the page? We'd like to fix this bug.

    All the best,
    Bernard

  • pheiffpheiff Member Stephen PheifferOrganization: NISTProject: NICE
    Accepted Answer

    OK, it sounds like my key misunderstanding is that the same password will have different hashes on Linux and Windows and the icehashpassword program produces different results if run on Windows vs. Linux.

    In our case we sometimes run production servers in Linux, but run testing servers in Windows and Linux . In the past, all test machines used the same password file containing the hash of blank password (there is no need to secure access to the test servers). Moving forward we'll use the NullPermissionsVerifier for all test servers as the blank password cannot be universal any more.

    Thanks for your time/help on this.

    PS.
    As for the link, look in the middle of this page:
    https://doc.zeroc.com/display/Ice36/Securing+a+Glacier2+Router
    There is a section in green which says:
    "A sample implementation of the PermissionsVerifier interface is provided in the demo/Glacier2/callback directory"

    I had gotten as far as the https://github.com/zeroc-ice/ice-demos folder, but it looks like the example name/location have changed. I might be better to give the entire link in case the person doesn't know where the code/project is. I'm sure this is mentioned elsewhere on the website.

Sign In or Register to comment.