fix(creds): MQTT regression + secret_kind for hash credentials

Honest correction to the "every cred-emitting service" claim. Audit of templates/* found three gaps: 1. MQTT — was working through the legacy adapter, silently dropped when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret() alongside the others. 2. Postgres — `auth, pw_hash=…` event captures the MD5 challenge-response the attacker sent. Plaintext irrecoverable, so it never fit the (principal, secret_b64=raw_bytes) shape. Lands in Credential as secret_kind="postgres_md5_challenge". 3. VNC — `auth_response, response=…hex` event captures the 16-byte DES-encrypted challenge. Same situation as Postgres: plaintext irrecoverable. Lands as secret_kind="vnc_des_response". Adds a `secret_kind` discriminator column to Credential (default "plaintext", indexed). The dedup tuple gains secret_kind so two credentials with the same sha256 but different kinds are fundamentally different rows — different challenges produce different bytes for the same plaintext password, so cross-kind reuse matches are meaningless and would only confuse analytics. The model now genuinely covers every cred-emitting service in the fleet: plaintext SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP, MQTT postgres_md5_* Postgres vnc_des_response VNC Username-only services (MySQL/MSSQL — TDS pre-encryption captures the user but never sees the password byte) intentionally don't feed Credential — they're recon signals, not cred attempts. 40 tests pass in the touched scope. New cases: secret_kind dedups independently in the repo; Postgres MD5 + VNC DES emitters thread through; MQTT round-trips through the native branch.
2026-04-25 06:16:57 -04:00
parent e696c2beb3
commit 6b16c844b6
9 changed files with 165 additions and 8 deletions
--- a/decnet/templates/vnc/server.py
+++ b/decnet/templates/vnc/server.py
@@ -8,6 +8,7 @@ failed". Logs the raw response for offline cracking.

 import asyncio
 import os
+import base64 as _base64
 from syslog_bridge import syslog_line, write_syslog_file, forward_syslog

 NODE_NAME = os.environ.get("NODE_NAME", "desktop")
@@ -68,7 +69,16 @@ class VNCProtocol(asyncio.Protocol):
                return
            response = self._buf[:16]
            self._buf = self._buf[16:]
-            _log("auth_response", src=self._peer[0], response=response.hex())
+            # VNC protocol: 16-byte DES-encrypted challenge. Plaintext
+            # password is irrecoverable, so we land this credential as
+            # secret_kind="vnc_des_response" — secret_b64 carries the
+            # raw 16 bytes for content-addressable within-kind reuse.
+            _hex = response.hex()
+            _log("auth_response", src=self._peer[0],
+                 response=_hex,
+                 secret_kind="vnc_des_response",
+                 secret_printable=_hex,
+                 secret_b64=_base64.b64encode(response).decode("ascii"))
            # SecurityResult: 1 = failed
            self._transport.write(b"\x00\x00\x00\x01")
            # Failure reason