[libvirt PATCH 0/2] docs: less docs for insecure SASL mechanisms

Daniel P. Berrangé posted 2 patches 3 years ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20210304181013.10329-1-berrange@redhat.com
docs/auth.html.in        | 368 ---------------------------------------
docs/auth.rst            | 323 ++++++++++++++++++++++++++++++++++
docs/meson.build         |   2 +-
src/remote/libvirtd.sasl |  11 +-
4 files changed, 330 insertions(+), 374 deletions(-)
delete mode 100644 docs/auth.html.in
create mode 100644 docs/auth.rst
[libvirt PATCH 0/2] docs: less docs for insecure SASL mechanisms
Posted by Daniel P. Berrangé 3 years ago
GSSAPI and SCRAM-SHA-256 are the only two SASL mechanisms we
especially want people to be using. Even the latter is a little
questionable due to storing passwords in cleartext on the server.

Daniel P. Berrangé (2):
  docs: convert auth page into RST format
  docs: stop mentioning insecure / broken SASL mechanisms

 docs/auth.html.in        | 368 ---------------------------------------
 docs/auth.rst            | 323 ++++++++++++++++++++++++++++++++++
 docs/meson.build         |   2 +-
 src/remote/libvirtd.sasl |  11 +-
 4 files changed, 330 insertions(+), 374 deletions(-)
 delete mode 100644 docs/auth.html.in
 create mode 100644 docs/auth.rst

-- 
2.29.2


Re: [libvirt PATCH 0/2] docs: less docs for insecure SASL mechanisms
Posted by Erik Skultety 3 years ago
On Thu, Mar 04, 2021 at 06:10:11PM +0000, Daniel P. Berrangé wrote:
> GSSAPI and SCRAM-SHA-256 are the only two SASL mechanisms we
> especially want people to be using. Even the latter is a little
> questionable due to storing passwords in cleartext on the server.

At what point of the SCRAM-SHA-256 auth process is password handled as clear
text? I mean I tried to look up the issue you mention and couldn't find
anything, quite the contrary, e.g. Postgres says SCRAM-SHA-256 is the only
recommended scheme for password-based auth and storing passwords in clear text
is not possible. Isn't it kind of the point that passwords are never stored in
clear text with this scheme?

https://www.postgresql.org/docs/13/auth-password.html

Erik