fix(creds): MQTT regression + secret_kind for hash credentials
Honest correction to the "every cred-emitting service" claim. Audit
of templates/* found three gaps:
1. MQTT — was working through the legacy adapter, silently dropped
when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret()
alongside the others.
2. Postgres — `auth, pw_hash=…` event captures the MD5
challenge-response the attacker sent. Plaintext irrecoverable, so
it never fit the (principal, secret_b64=raw_bytes) shape. Lands
in Credential as secret_kind="postgres_md5_challenge".
3. VNC — `auth_response, response=…hex` event captures the 16-byte
DES-encrypted challenge. Same situation as Postgres: plaintext
irrecoverable. Lands as secret_kind="vnc_des_response".
Adds a `secret_kind` discriminator column to Credential (default
"plaintext", indexed). The dedup tuple gains secret_kind so two
credentials with the same sha256 but different kinds are
fundamentally different rows — different challenges produce
different bytes for the same plaintext password, so cross-kind
reuse matches are meaningless and would only confuse analytics.
The model now genuinely covers every cred-emitting service in the
fleet:
plaintext SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP,
MQTT
postgres_md5_* Postgres
vnc_des_response VNC
Username-only services (MySQL/MSSQL — TDS pre-encryption captures
the user but never sees the password byte) intentionally don't feed
Credential — they're recon signals, not cred attempts.
40 tests pass in the touched scope. New cases: secret_kind dedups
independently in the repo; Postgres MD5 + VNC DES emitters thread
through; MQTT round-trips through the native branch.
This commit is contained in:
@@ -14,7 +14,12 @@ import random
|
||||
import struct
|
||||
|
||||
import instance_seed as _seed
|
||||
from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
|
||||
from syslog_bridge import (
|
||||
encode_secret,
|
||||
forward_syslog,
|
||||
syslog_line,
|
||||
write_syslog_file,
|
||||
)
|
||||
|
||||
NODE_NAME = os.environ.get("NODE_NAME", "mqtt-broker")
|
||||
SERVICE_NAME = "mqtt"
|
||||
@@ -256,7 +261,17 @@ class MQTTProtocol(asyncio.Protocol):
|
||||
|
||||
if pkt_type == 1: # CONNECT
|
||||
info = _parse_connect(payload)
|
||||
_log("auth", **info)
|
||||
# Migrate auth event to the universal credential SD shape
|
||||
# so the ingester's native branch picks up the row. The
|
||||
# legacy username/password keys are intentionally NOT
|
||||
# forwarded — encode_secret() supplies secret_printable
|
||||
# and secret_b64 in their place.
|
||||
_user = info.get("username", "")
|
||||
_password = info.get("password", "")
|
||||
_passthrough = {k: v for k, v in info.items()
|
||||
if k not in ("username", "password")}
|
||||
_log("auth", username=_user, principal=_user,
|
||||
**encode_secret(_password), **_passthrough)
|
||||
# Decide connection: accept-all > cred list > deny.
|
||||
cred = (info.get("username", ""), info.get("password", ""))
|
||||
accepted = (
|
||||
|
||||
@@ -11,6 +11,7 @@ import os
|
||||
import struct
|
||||
|
||||
import instance_seed as _seed
|
||||
import base64 as _base64
|
||||
from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
|
||||
|
||||
NODE_NAME = os.environ.get("NODE_NAME", "pgserver")
|
||||
@@ -137,10 +138,27 @@ class PostgresProtocol(asyncio.Protocol):
|
||||
self._transport.write(auth_md5)
|
||||
|
||||
def _handle_password(self, payload: bytes):
|
||||
# Postgres MD5 challenge-response: the wire form is the literal
|
||||
# ASCII string "md5" + 32 hex chars (md5(md5(pw+user)+salt)).
|
||||
# Plaintext is unrecoverable, so we land this in the Credential
|
||||
# table as secret_kind="postgres_md5_challenge" — secret_b64
|
||||
# carries the raw hash bytes (after stripping the "md5" prefix
|
||||
# and hex-decoding) for content-addressable reuse within-kind.
|
||||
pw_hash = payload.rstrip(b"\x00").decode(errors="replace")
|
||||
_log("auth", src=self._peer[0], pw_hash=pw_hash,
|
||||
username=getattr(self, "_username", ""),
|
||||
database=getattr(self, "_database", ""))
|
||||
_hex = pw_hash[3:] if pw_hash.startswith("md5") else pw_hash
|
||||
try:
|
||||
_raw = bytes.fromhex(_hex)
|
||||
except ValueError:
|
||||
_raw = _hex.encode("utf-8", errors="replace")
|
||||
_b64 = _base64.b64encode(_raw).decode("ascii")
|
||||
_user = getattr(self, "_username", "")
|
||||
_log("auth", src=self._peer[0],
|
||||
username=_user, principal=_user,
|
||||
database=getattr(self, "_database", ""),
|
||||
pw_hash=pw_hash,
|
||||
secret_kind="postgres_md5_challenge",
|
||||
secret_printable=pw_hash,
|
||||
secret_b64=_b64)
|
||||
user = getattr(self, "_username", "")
|
||||
msg = f'password authentication failed for user "{user}"'
|
||||
_seed.jitter_sync(20, 90)
|
||||
|
||||
@@ -8,6 +8,7 @@ failed". Logs the raw response for offline cracking.
|
||||
|
||||
import asyncio
|
||||
import os
|
||||
import base64 as _base64
|
||||
from syslog_bridge import syslog_line, write_syslog_file, forward_syslog
|
||||
|
||||
NODE_NAME = os.environ.get("NODE_NAME", "desktop")
|
||||
@@ -68,7 +69,16 @@ class VNCProtocol(asyncio.Protocol):
|
||||
return
|
||||
response = self._buf[:16]
|
||||
self._buf = self._buf[16:]
|
||||
_log("auth_response", src=self._peer[0], response=response.hex())
|
||||
# VNC protocol: 16-byte DES-encrypted challenge. Plaintext
|
||||
# password is irrecoverable, so we land this credential as
|
||||
# secret_kind="vnc_des_response" — secret_b64 carries the
|
||||
# raw 16 bytes for content-addressable within-kind reuse.
|
||||
_hex = response.hex()
|
||||
_log("auth_response", src=self._peer[0],
|
||||
response=_hex,
|
||||
secret_kind="vnc_des_response",
|
||||
secret_printable=_hex,
|
||||
secret_b64=_base64.b64encode(response).decode("ascii"))
|
||||
# SecurityResult: 1 = failed
|
||||
self._transport.write(b"\x00\x00\x00\x01")
|
||||
# Failure reason
|
||||
|
||||
Reference in New Issue
Block a user