anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(creds): MQTT regression + secret_kind for hash credentials

Browse Source 
Honest correction to the "every cred-emitting service" claim. Audit
of templates/* found three gaps:

1. MQTT — was working through the legacy adapter, silently dropped
   when Phase 3 (e696c2b) deleted it. Now migrated to encode_secret()
   alongside the others.
2. Postgres — `auth, pw_hash=…` event captures the MD5
   challenge-response the attacker sent. Plaintext irrecoverable, so
   it never fit the (principal, secret_b64=raw_bytes) shape. Lands
   in Credential as secret_kind="postgres_md5_challenge".
3. VNC — `auth_response, response=…hex` event captures the 16-byte
   DES-encrypted challenge. Same situation as Postgres: plaintext
   irrecoverable. Lands as secret_kind="vnc_des_response".

Adds a `secret_kind` discriminator column to Credential (default
"plaintext", indexed). The dedup tuple gains secret_kind so two
credentials with the same sha256 but different kinds are
fundamentally different rows — different challenges produce
different bytes for the same plaintext password, so cross-kind
reuse matches are meaningless and would only confuse analytics.

The model now genuinely covers every cred-emitting service in the
fleet:

  plaintext        SSH, Telnet, FTP, POP3, IMAP, SMTP, Redis, LDAP,
                   MQTT
  postgres_md5_*   Postgres
  vnc_des_response VNC

Username-only services (MySQL/MSSQL — TDS pre-encryption captures
the user but never sees the password byte) intentionally don't feed
Credential — they're recon signals, not cred attempts.

40 tests pass in the touched scope. New cases: secret_kind dedups
independently in the repo; Postgres MD5 + VNC DES emitters thread
through; MQTT round-trips through the native branch.
This commit is contained in:
anti
2026-04-25 06:16:57 -04:00
parent e696c2beb3
commit 6b16c844b6
9 changed files with 165 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
tests/db/test_credentials.py
View File

@@ -123,6 +123,32 @@ async def test_get_credentials_for_attacker(repo) -> None:
assert rows[0]["attacker_ip"] == "10.0.0.5"
@pytest.mark.anyio
async def test_secret_kind_dedups_independently(repo) -> None:
"""Same sha256, same principal — different secret_kind = different row.
Two rows with the same content-addressable hash but different kinds
represent fundamentally different credentials (e.g. a plaintext
password that happens to hash to the same value as a Postgres
md5 challenge response is statistically impossible but semantically
distinct anyway). Dedup must respect the kind boundary."""
base = {
"attacker_ip": "10.0.0.5",
"decky_name": "decky-01",
"service": "ssh",
"principal": "root",
"secret_sha256": _sha256("hunter2"),
"secret_b64": "aHVudGVyMg==",
"fields": {},
}
await repo.upsert_credential({**base, "secret_kind": "plaintext"})
await repo.upsert_credential({**base, "secret_kind": "postgres_md5_challenge"})
rows = await repo.get_credentials()
assert len(rows) == 2
kinds = {r["secret_kind"] for r in rows}
assert kinds == {"plaintext", "postgres_md5_challenge"}
@pytest.mark.anyio
async def test_filters(repo) -> None:
base_secret = _sha256("a")