I am confused about different protocols and mechanisms for Kafka authentication.
Similar to this question here:
Can Kafka be provided with custom LoginModule to support LDAP?
I have kind of made my own PlainLoginModule that uses LDAP to authenticate the username/password provided by the client.
Is there any way for me to make this more secure? It does not seem safe to send plaintext passwords for the authentication. I would also prefer to not use plaintext password in the client side jaas file if possible.
If I were to use SSL could I still use LDAP server to authenticate? How would the kafka configuration change. Current conf:
listeners=SASL_PLAINTEXT://:9092
advertised.listeners = SASL_PLAINTEXT://kafka:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.enabled.mechanisms=PLAIN
You have two options how to make it more secure:
Use SASL_SSL listeners to wrap the SASL authentication into SSL encryption. You will still be able to use your LDAP through custom module.
Use one of the more secure SASL mechanisms. PLAIN mechanism will send the password over the network which is not secure. You can instead use one of the supported SCRAM mechanisms which will not send the password over the network and will use a more sophisticated handshake instead. Kafka supports SCRAM-SHA-256 and SCRAM-SHA-512. However the SCRAM mechanisms would not work with LDAP - they store the credentials (not directly passwords) in Zookeeper. The SCRAM mechanisms can be of course also combined with SSL.
Yes you can use a SASL_SSL listener. This will use SASL to authenticate and then encrypt the data sent using SSL. If you want more secure authentication, you should consider using the GSSAPI SASL mechanism. ldap and Kerberos integration is a common practice and then you don't have exposed credentials.
Related
I am integrating an application with LDAP in my organisation.
I am implementing HTTPS to send the password from the frontend to my application server, and then forwarding the password from my application server to the LDAP server using TLS. This keeps the password safe in transit.
However there is still the problem that my application server is still able to see the password in plaintext before it forwards the password to the LDAP server.
If I hash it on the front end then the password will not match the password on the LDAP server.
Is this a risk that I need to accept in order to integrate my application with LDAP? Or am I implementing this incorrectly somehow?
My application server is a python flask application and I am implementing LDAP3.
Thanks in advance.
For the question:
Is this a risk that I need to accept in order to integrate my
application with LDAP?
Yes.
The use of SASL Mechanisms which are supported by most LDAP Server Implementations can SASL authentication, this is However, this requires the LDAP Client (DUA) to be able to present an encoded value that contains the SASL mechanism name and an optional set of encoded SASL credentials.
Maybe you could use SASL with a ServerLess Architecture?
Regardless of the technology implemented, any password based authentication would require the user providing credentials which, at some point need to be gathered and therefore subject to this risk.
THe use of OpenID Connect could limit the exposure so the to the OpenID Provider's Authorization Server; but the risk is still present.
WebAuthn eliminates passwords and may be an option.
-jim
I'm building an application using nodejs express + mongodb.
I need to add authentication.
I've found these options:
using json web tokens
using passport framework
Are my user credentials which I pass over the internet secure if I combine one of these 2 with ssl?
Well, both are secure but different (https is the way).
If you need server side sessions after autentication, go for passport is easy to set up and supports a ton of autentication ways.
In the case of JsonWebTokens, are great way to implement session-less autentication like interacting with a REST API.
This is a good read: If REST applications are supposed to be stateless, how do you manage sessions?
Yes, it will be secure if you do that, you may consider using two-factor authentication if you want to increase security.
json web tokens is just a standard used for token based authentication, while the passport framework is a tool that will help you to build your software in a more secure way. I'm not familiar with Passport Framework, but I believe that all strategies that it provides will use JWT.
TLS (or SSL) is a tunneling protocol to tunnel unsecure http protocol, which sends plain text data to a server. You may be interested in RFC1818 that has some information about using http with tls.
It's very important to tunnel http request when sending sensitive information. It will add to you app:
1) Server authentication
2) Integrity protection
3) Replay protection
4) Confidentiality
When you authenticate against active directory as described in this answer, how is the exchange sent over the network? Is it encrypted? If not, what is the correct way to ensure that it is not sent in clear text?
If the PrincipalContext class implements the Kerberos protocol to authenticate the user against the Active Directory, the users credential is protected according the Kerberos protocol. Basically both sides makes use of a secret key to create a secure channel using a key exchange protocol like Diffie-Hellman.
You can find a quick explanation about the Kerberos protocol in wikipedia, but the RFC 4120 is the official source.
In other hand if it uses plain LDAP queries, the security will be on the transport protocol.
I'm building a Haskell web application for which I need authentication. My organization runs an LDAP server, and I would prefer not to reinvent the wheel. However, when I inspect the source code for LDAP.Init.ldapSimpleBind from the ldap-haskell package, I discover that it calls the C routine ldap_simple_bind_s. As far as I can tell, this API call is going to send my users' passwords in the clear to an LDAP server. Not acceptable.
Have I understood correctly what ldap-haskell is doing?
If so, is there a secure way for me to authenticate my users to an LDAP server from an application written in Haskell?
Passwords must be sent in the clear over a secure connection to an LDAP server that supports password policy checks. Failure to do so will result in the server being unable to manage password history and password quality checks. If the server does not support password policy and history checks, then that server should not be used for non-trivial, mission critical applications. Use either SSL, or failing that, an unsecure connection promoted to TLS using the StartTLS extended operation.
Can you use port 636 (secure LDAP) instead of port 389 to connect to your LDAP server? In this case you would at least have SSL protection.
I am trying to understand gmail's authentication mechanism. I know it uses https for transporting the user credentials during login and then the rest of the communication happens over http. How is this achieved? Is some kind of key exchanged during the initial session over https and used in subsequent requests? if yes, Isn't some kind of key agreement protocol (e.g. Diffie-Hellman) better for exchanging the shared key instead of https?
https uses asymmetric encryption to obtain a symmetric key. After cookies are set using https they are the source of authentication over http. Unless the user has set https to be always used