base_crypt and users_ldap don't work together

This seems like a rather major issue to me!

Using users_ldap on its own is risky, because it stores user's active directory passwords in the database in plain text!

I still don't understand why openerp chose not to encrypt passwords in the first place, this is standard practise in most other business software I have come across, seems incredibly risky not to do it...

It is mysterious. How many users actually want their passwords in clear text?

However, when configured correctly users_ldap does not store the ldap passwords in OpenERP. See this bug https://bugs.launchpad.net/bugs/760301 for a good explanation.

As I have mentioned elsewhere, I am not much enamoured of base_crypt and would rather see a password field type with the encryption handled by pgcrypt. Passwords should be encrypted by default. If anyone does want unencrypted passwords they can change the field type to string.

Im agreed

@Russell: sorry, you may have been mislead by the bug title, but users_ldap does not store the LDAP passwords in the database at all, authentication is always performed against the LDAP server directly. The only reason you might want to install base_crypt in addition to users_ldap is to have non-LDAP users (with encrypted passwords) in addition to the LDAP users.

As for the reason for cleartext passwords: once you switch to encrypted passwords you can't recover user passwords anymore . So enabling it is a choice, because there's no going back. We don't currently plan to make passwords encrypted by default.

Also, people often don't realize that even if encrypted passwords do decrease the chance of having the cleartext passwords stolen (provided several requirements are met in the encryption scheme!), they don' t replace real measures for ensuring the security of a database! Passwords are just regular data, so if they are compromised (even encrypted), it means the whole database was, and that means a lot more to worry about than just asking users to pick new passwords.

BTW, we're indeed going to make base_crypt and users_ldap work together, but it requires a change in the design of OpenERP authentication, to implement a pluggable authentication system. We're also planning to provide new encryption schemes in base_crypt, such as SHA-based HMAC.

Hello Olivier,

you said that one justification for not encrypting passwords by default is:
"As for the reason for cleartext passwords: once you switch to encrypted
passwords you can't recover user passwords anymore . So enabling it is a
choice, because there's no going back. We don't currently plan to make
passwords encrypted by default."

Well, what is that such a big trouble? Yes you cannot recover the password
but it's trivial for the administrator to generate a new valid password and
send it to the user.
So if you really forgot what your password was, why is that such a big
trouble to use a fresh new one you can choose?

I'm sorry, but unless I missed something I don't understand the
justification behind that.
I strongly believe encrypting should be done by default.

Look, in our daily consultant work, it's just too frequent one give ERP or
database admin right to some third party consultant. Today that guy can
always rip all the passwords of all companies employees and this potentially
happening everywhere in the world where OpenERP is deployed.
And since there is no third party auth like OpenID so people are just forced
to use yet an other password so the chance the use one they already use is
huge. So If you rip like 30 password per company and then test randomly on
their GMail, Facebook or bank accounts, I'm sure their will be some positive
match form time to time.
So unless I missed some other reason, I just cannot understand that decision
either.

Do I miss something?

On Wed, May 18, 2011 at 8:12 PM, Olivier Dony (OpenERP) <
<email address hidden>> wrote:

> @Russell: sorry, you may have been mislead by the bug title, but
> users_ldap does not store the LDAP passwords in the database at all,
> authentication is always performed against the LDAP server directly. The
> only reason you might want to install base_crypt in addition to
> users_ldap is to have non-LDAP users (with encrypted passwords) in
> addition to the LDAP users.
>
> As for the reason for cleartext passwords: once you switch to encrypted
> passwords you can't recover user passwords anymore . So enabling it is a
> choice, because there's no going back. We don't currently plan to make
> passwords encrypted by default.
>
> Also, people often don't realize that even if encrypted passwords do
> decrease the chance of having the cleartext passwords stolen (provided
> several requirements are met in the encryption scheme!), they don' t
> replace real measures for ensuring the security of a database! Passwords
> are just regular data, so if they are compromised (even encrypted), it
> means the whole database was, and that means a lot more to worry about
> than just asking users to pick new passwords.
>
> BTW, we're indeed going to make base_crypt and users_ldap work together,
> but it requires a change in the design of OpenERP authentication, to
> implement a pluggable authentication system. We're also planning to
> provide new encryption schemes in base_crypt, such as SHA-based HMAC.
>
> --
> You received this bug notification because you are a member of OpenERP
> Drivers, which is subscribed to OpenERP Addons.
> https://bugs.launchpad.net/bugs/738721
>
> Title:
> base...

On 05/19/2011 01:52 AM, Raphaël Valyi - http://www.akretion.com wrote:
> Well, what is that such a big trouble? Yes you cannot recover the password
> but it's trivial for the administrator to generate a new valid password and
> send it to the user.

I'm not saying it's big trouble, just that it's a feature, and a choice
people might want. You can reverse the question and ask what is the big
issue with installing base_crypt? (no, you don't need it for LDAP)

> Look, in our daily consultant work, it's just too frequent one give ERP or
> database admin right to some third party consultant. Today that guy can
> always rip all the passwords of all companies employees and this potentially
> happening everywhere in the world where OpenERP is deployed.

Exactly. You're illustrating the second point in previous comment. You
say encrypted password make you more confident giving full access to
third-party people. That's fallacious reasoning: why aren't you worried
about the rest of the database? You should be.
Unix passwords are encrypted by default. Do you go and give root access
to everyone because it's safe: they can't steal passwords? I don't.

Remember, I'm not saying encrypted passwords are bad. I'm just saying
people should start considering them as _one reasonable option_ among a
large number of security measures to take, and not as the unique or
ultimate magic answer to all security considerations.

Anyway, that's just my opinion, anyone is free to think otherwise.

On Wed, May 18, 2011 at 10:25 PM, Olivier Dony (OpenERP) <
<email address hidden>> wrote:

> On 05/19/2011 01:52 AM, Raphaël Valyi - http://www.akretion.com wrote:
> > Well, what is that such a big trouble? Yes you cannot recover the
> password
> > but it's trivial for the administrator to generate a new valid password
> and
> > send it to the user.
>
> I'm not saying it's big trouble, just that it's a feature, and a choice
> people might want. You can reverse the question and ask what is the big
> issue with installing base_crypt? (no, you don't need it for LDAP)
>

So basically all other software around decide to encrypt passwords once
again, OpenERP is the only one that got it about security by taking the
default choice of letting them clear?
I'm here just trying to help you make OpenERP a valid business model. Of
course it's not a problem for me Akretion, after 3 years fighting over
OpenERP, to install yet an other module.

Now isn't your new business model now based upon an expectation of having 2M
users within 2 years?
I'm sorry, but for my experience, 2M users is incompatible with such a level
of anarchy with the default settings.
For a 2M user base, you need that your average integrator doesn't need to be
a phD multi-lingual, over working open source guru anymore. You need
straightforward installation processes.
IMHO it's time for OpenERP to take a Rails like approach: doing things
correctly by default and only let people screw it all if they really want
too. Not the reverse.
I think this is the only approach that lower the entry barrier enough to
make OpenERP scale like other popular open source tools.
So I'm just asking here to consider the possibility to make password
encrypted by default in 6.1.

>
> > Look, in our daily consultant work, it's just too frequent one give ERP
> or
> > database admin right to some third party consultant. Today that guy can
> > always rip all the passwords of all companies employees and this
> potentially
> > happening everywhere in the world where OpenERP is deployed.
>
> Exactly. You're illustrating the second point in previous comment. You
> say encrypted password make you more confident giving full access to
> third-party people. That's fallacious reasoning: why aren't you worried
> about the rest of the database? You should be.
>

Wait a minute: were did I suggest that because of password encryption I
would suddenly suggest giving more access rights?
I'm sorry, but your point is fallacious, it's just like saying:
hey don't lock your home door because if you lock it you'll suddenly forget
about other security aspect and people will still you more.

Of course we are all concerned about a database or ERP admin accessing all
ERP data.
Now there is a big difference between knowing the company secret and
probably knowing a few mail/social network/bank/whatever account of some of
the company employees.
The point is that because OpenERP doesn't have a decentralized
authentication. Password are likely to be what people use for other
accounts, so ripping them is just TOO BAD to be acceptable, specially when
the alternative costs nearly 0 to implement.

> Unix passwords are encrypted by default. Do you ...

>
> Exactly. You're illustrating the second point in previous comment. You
> say encrypted password make you more confident giving full access to
> third-party people. That's fallacious reasoning: why aren't you worried
> about the rest of the database? You should be.
> Unix passwords are encrypted by default. Do you go and give root access
> to everyone because it's safe: they can't steal passwords? I don't.

And oh you do yes...

OK, let's take the use case you mentioned:
user X lost his password.
So you suggest that admin Y read user X password inside the database to give
X his password back, right?
Remember, this was your #1 hammer argument to defend the no encryption
choice...

Aren't you here encouraging someone to look at the database and possibly rip
users password?

Now take my suggestion: password in database is encrypted and he only
solution is to generate a new one from OpenERP admin (or by code
eventually).
The message this actually sends is rather "don't even try to look in the
database, it won't help you, do it the other way." (and even if you look at
it the database at least you won't still anybody's password).

And yet you still think your "no encryption by default" approach is the one
that offer the best security while encryption is the dangerous policy that
encourages granting access rights blindly?

My 0.02 R$

Hello all.

@oliver: IMHO rvalyi is right, but i only want to add some formal document of "BEst Practices".

Here the policies of the university of tenesee:

http://security.tennessee.edu/pdfs/PBP.pdf

In page 4 Section: "PROTECTION OF PASSWORDS" item 6:
"Passwords must not be stored in any location where unauthorized
individuals might discover or obtain them."

If we store in any case uncrypted the password we are by default braking the principle.

I have some experience selling OpenERP idea to medium business where this policy that OpenERP has by default give a bad impresion.

Let me show you an user case:

IT manager Is an Strong Confidence Person, he has 3 Technicians that have access to server in one or another way, he need to be sure that they can not see without supervision some important information, he mantain PSql password with him, root server password with him, but for a development enviroment he share a copy of database blocked with some data, He needs that his programmers work with an eviroment than closest as possible with real enviroment, he will share res_user data, Don't you think is better if he is not worried about change passwords in db???

As this case we can have a lot, You imagine an enviroment of 300-3000 Users, with internal or external IT people, I think is real that the REAL USED password NEVER can be managed by IT guys, even if they have access to Postgres, because you are compromising several, several sensible information......

Even the simplest reference _WIKIPEDIA_ "http://en.wikipedia.org/wiki/Password_policy":

It says:

"never write down a password"
"never telling a password to anyone, including people who claim to be from customer service or security"

In this 2 case at least your IT guys will have access to password itself and not one -ALL- passwords..... we are broking this rules.

Another reference "US Department of energy":

http://security.fnal.gov/UserGuide/password.htm

It says:

"Don't leave passwords where others can find them;"

With uncrypted passwords at least ALL your IT guys can find it!

"Store passwords securely;"

In plain text this is unsecure.

And for best practices of market:

---Almost none serious system propose by default the more unsecure option of deploy them application.---

BTW.

If the boss want receive support from an IT person, it can ask for "Change " the password, NEVER share his password, if an IT guy want to broke system changing password almost "INMEDIATLY" supervisor will look that it change because his sesion will be broken inmediatly....

My 0.02Bs-.

Thanks

Raphael +1

My opinion is: encrypted password should be the default, clear password should be an option.

+1 for Raphael as well

We also believe the system login should support multifactor
authentication (e.g. OTP One time passwords) see the C2C work done
with the YubiKey in v5. Especially since database login information is
readily available in config files by default - although this file is
typically hardened prior to deployment.

It should be under the philosophy of TNO (Trust No One). E.g. the
YUBIHSM hardware key or OTP.

In a related topic as well - all bank accounts except the last 4
digits of an account should also be encrypted and masked too - alas
but that is another topic.

Maybe a nice section in the doc on "recommendations to "secure" your
environment" might be appreciated by the general OpenERP public.

David Mitchell
President
NovaPoint Group LLC

On Thu, May 19, 2011 at 3:05 AM, Simone Orsi - Domsense
<email address hidden> wrote:
> Raphael +1
>
> My opinion is: encrypted password should be the default, clear password
> should be an option.
>
> --
> You received this bug notification because you are a member of OpenERP
> Drivers, which is subscribed to OpenERP Addons.
> https://bugs.launchpad.net/bugs/738721
>
> Title:
>  base_crypt and users_ldap don't work together
>
> Status in OpenERP Modules (addons):
>  Confirmed
>
> Bug description:
>  I installed and configured users_ldap so that all of my users can login using their credentials stored in OpenLDAP, which worked fine. Then I installed base_crypt (with the intention of all other passwords in the db, for non-ldap-users like 'admin') being encrypted. However, this prevents all LDAP users from logging in.
>  I suppose that base_crypt tries to authenticate the user and if this fails, login fails, without users_ldap trying to authenticate. I think this behaviour should be changed towards:
>   1. Check whether user can login using the (possibly encrypted) password in the database.
>   2. If not, check whether user can login using the LDAP password.
>   3. If now, refuse access.
>  Right now, the second step seems to be omitted when base_crypt is used.
>

+1 Raphael
with a functionnality to send a new pasword by mail

Guys,

as a comment, I'm thinking the only password that might be allowed to be
clear should be the admin password.
Indeed recovering a cryped admin password sucks, you have to generate an
SHA1 and put in the the database or something like this.
Now, the only way to recover the admin password is to access the database
anyway, so I mean then you can read all ERP info, so having it clear is not
a big deal.
Plus admin password will hardly the one I'm using for my GMail account,
something that might not be true for the average employee.
Finally, if database access can give you the admin password, that still a
lot better if you cannot read the employee's password and should rather
reset them to some default value, using the administration of OpenERP till
people set a personal password.
What do you think about that?
So still no chance OpenERP get encrypted passwords by default in v6.1? Do
you really choose to keep the real entry barrier as high while you are also
spending on the marketing to make new entrant believe it's simpler than in
the meantime? How consistent is that? We see here many integrators voting
for encryption by default, can you all other folk that think otherwise
defend your point here to give some credit to this choice we don't
understand?

On Thu, May 19, 2011 at 3:58 PM, Carlos @ smile.fr <
<email address hidden>> wrote:

> +1 Raphael
> with a functionnality to send a new pasword by mail
>
> --
> You received this bug notification because you are a member of OpenERP
> Drivers, which is subscribed to OpenERP Addons.
> https://bugs.launchpad.net/bugs/738721
>
> Title:
> base_crypt and users_ldap don't work together
>
> Status in OpenERP Modules (addons):
> Confirmed
>
> Bug description:
> I installed and configured users_ldap so that all of my users can login
> using their credentials stored in OpenLDAP, which worked fine. Then I
> installed base_crypt (with the intention of all other passwords in the db,
> for non-ldap-users like 'admin') being encrypted. However, this prevents all
> LDAP users from logging in.
> I suppose that base_crypt tries to authenticate the user and if this
> fails, login fails, without users_ldap trying to authenticate. I think this
> behaviour should be changed towards:
> 1. Check whether user can login using the (possibly encrypted) password
> in the database.
> 2. If not, check whether user can login using the LDAP password.
> 3. If now, refuse access.
> Right now, the second step seems to be omitted when base_crypt is used.
>

> I'm thinking the only password that might be allowed to be clear should be the admin password.

Now you have a double standard. Added complexity in the authentication code. I think it *should* be hard to reset the admin password, teach you not to forget it in the first place, we charge our users five dollars for a password reset ;-)

I don't suppose I'm the only one to load a res.users.csv with the admin and some other user data in it. Also various backups lying around. I'm going to have to be a lot more careful with all these files if they have a clear admin password in them.

Hi folks,

while this is not the point of the actual bug report, I'm pretty much surprised that some people are actually arguing *for* having cleartext passwords (in particular the admin one's) in the database. I assumed that there is no discussion about this being an absolute no-go for *any* application.
If a website stores its users' passwords in cleartext, that's a reason for me not to register there. What Linux distribution do you know that stores cleartext credentials of the system users in /etc/passwd or /etc/shadow? Where would you expect to be able to get your forgotten password back from the admin by a phone call?

In short: Do *never ever* store any cleartext passwords in the database. This might make base_crypt superfluous and base_ldap should work just as before.

Tobias

Hello, first off all, this bug is confirmed, now i want to ask to OpenERP SA,
how is consider the password management in your roadmap? (please be explicit here)

To make my comment i need highlight,

Keypoints:
- Community point of view about need password encrypted by default in system and necessary in 6.1 as default
- Links and info (around the world) about password management, i think this don't need discuss
- OpenERP SA position about plaintext password in system is not a problem just a choice by users and keep their point in easy recovery password.

My comment goes in this way:

OpenERP need takes more professional techniques to work in some areas (security now) this system is an ERP, in another hand nobody support your position about keep as plaintext the password so we need understand what implies this:

Create a Password management and this must includes:
 * Encrpyted storage
 * Recovery passwords
 * blacklist passwords
 * password sync
 * lifetime password
 * schedule password changes

Please consider all info about community i am completely agree @Rvalyi and all people in this tread, maybe your point is good but our suggestion is better/clear/best practice/a real security solution.

Regards,

+1 - cleartext should not even be an option.

On Fri, May 20, 2011 at 10:45 AM, Cristian Salamea (Gnuthink) <
<email address hidden>> wrote:

> Hello, first off all, this bug is confirmed, now i want to ask to OpenERP
> SA,
> how is consider the password management in your roadmap? (please be
> explicit here)
>
> To make my comment i need highlight,
>
> Keypoints:
> - Community point of view about need password encrypted by default in
> system and necessary in 6.1 as default
> - Links and info (around the world) about password management, i think this
> don't need discuss
> - OpenERP SA position about plaintext password in system is not a problem
> just a choice by users and keep their point in easy recovery password.
>
> My comment goes in this way:
>
> OpenERP need takes more professional techniques to work in some areas
> (security now) this system is an ERP, in another hand nobody support
> your position about keep as plaintext the password so we need understand
> what implies this:
>
> Create a Password management and this must includes:
> * Encrpyted storage
> * Recovery passwords
> * blacklist passwords
> * password sync
> * lifetime password
> * schedule password changes
>
> Please consider all info about community i am completely agree @Rvalyi
> and all people in this tread, maybe your point is good but our
> suggestion is better/clear/best practice/a real security solution.
>
> Regards,
>
> --
> You received this bug notification because you are subscribed to OpenERP
> Addons.
> https://bugs.launchpad.net/bugs/738721
>
> Title:
> base_crypt and users_ldap don't work together
>
> Status in OpenERP Modules (addons):
> Confirmed
>
> Bug description:
> I installed and configured users_ldap so that all of my users can login
> using their credentials stored in OpenLDAP, which worked fine. Then I
> installed base_crypt (with the intention of all other passwords in the db,
> for non-ldap-users like 'admin') being encrypted. However, this prevents all
> LDAP users from logging in.
> I suppose that base_crypt tries to authenticate the user and if this
> fails, login fails, without users_ldap trying to authenticate. I think this
> behaviour should be changed towards:
> 1. Check whether user can login using the (possibly encrypted) password
> in the database.
> 2. If not, check whether user can login using the LDAP password.
> 3. If now, refuse access.
> Right now, the second step seems to be omitted when base_crypt is used.
>

Yes, all passwords stored in OpenERP should be encrypted by default.

+1 all passwords should be encrypted by default.

just for the record, and in order to set the vocabulary right: the standard policy on unix is not to store *encrypted* passwords, but to store password *hashes* (using a cryptographically secure hash). This is very different from a conceptual POV: while an encrypted password may be decrypted, a hashed password typically cannot.

Windows Active Directory optionally offers to save encrypted password (which is required to enforce policies such as 'when changing a password, it must differ from the previous password by at least 3 characters').

What base_crypt offers is password hashing, and the procedure is to hash the user supplied password at authentication time and compare it with the hash. This works fine for the purpose of checking if a user knows the password.

Another very important problem is the integration of OpenERP v7 with Google services, which, unless I'm mistaken, requires the user to store his Google account password in clear text in the database... Hashing won't cut it: either you need to change the way OpenERP interacts with Google, or you have to store the password encrypted.

+1 all passwords should be encrypted by default.

Please fix this !!

When will OpenERP S.A. stop thinking they know better than the rest, and start following best practices... ??

+1 all passwords should be encrypted by default.

+1 all passwords should be encrypted by default.

+1 all passwords should be encrypted by default, including the main admin password which essentially should be locked in a safe and not used by anyone except in an emergency. The regular admins should have their own username for regular admin tasks, which also allow auditing of what the admin does.

Also came to think - even admin password can be easily reseted even when lost... How:
Generate a new database, set a password (with the same salt as the original base) then copy the new encrypted password to the admin password field and there you go...

There are absolutely no good arguments for keeping passwords in cleartext.

so technically, the system should send an email to every member of the admin and security groups whenever user "admin" is being logged in. This should also encourage NOT using that very account.

OK, let's get back on track. This bug was reported (by me) more than two years ago because two modules didn't play nicely together. This issue is not about user/password management and not even about whether passwords should be encrypted in the database.

I actually don't expect this issue to get fixed any more, and also I don't know about the state of authentication in the latest OpenERP version, but we should really try to keep that a separate issue. Thanks.

On 07/31/2013 10:57 AM, Tobias G. Pfeiffer wrote:
> I actually don't expect this issue to get fixed any more, and also I
> don't know about the state of authentication in the latest OpenERP
> version

Actually there's a work-in-progress fix that will land for auth_ldap in 7.0
soon. 7.0 revamped the authentication layer and makes it easier to correct.

As previously announced, the incompatibility issue between `auth_crypt` and `auth_ldap` (formerly base_crypt and users_ldap) has been lifted in OpenERP 7.0, as of addons revision 9337 revid:<email address hidden>.

Note: in trunk we are further improving auth_crypt, switching it to use the `passlib` library (which supports the `md5crypt` scheme we were using before), and changing the default scheme to SHA-512 (salted of course)