Admin token Argon2 hashing support

[BlackDex]

Added support for Argon2 hashing support for the ADMIN_TOKEN instead of only supporting a plain text string.

The hash must be a PHC string which can be generated via the argon2 CLI or via the also built-in hash command in Vaultwarden.

You can simply run vaultwarden hash to generate a hash based upon a password the user provides them self.

Added a warning during startup and within the admin settings panel is the ADMIN_TOKEN is not an Argon2 hash.

Within the admin environment a user can ignore that warning and it will not be shown for at least 30 days. After that the warning will appear again unless the ADMIN_TOKEN has be converted to an Argon2 hash.

I have also tested this on my RaspberryPi 2b and there the Bitwarden preset takes almost 4.5 seconds to generate/verify the Argon2 hash.

Using the OWASP preset it is below 1 second, which I think should be fine for low-graded hardware.
If it is needed people could use lower memory settings, but in those cases I even doubt Vaultwarden it self would run.
They can always use the argon2 CLI and generate a faster hash.

Examples

ADMIN_TOKEN='$argon2i$v=19$m=4096,t=3,p=1$Saf.....'
ADMIN_TOKEN='$argon2d$v=19$m=4096,t=3,p=1$drh.....'
ADMIN_TOKEN='$argon2id$v=19$m=4096,t=3,p=1$ds.....'

I also created some documentation on the wiki regarding this feature already.
https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token

[dani-garcia]

Is there a particular reason to support both SHA512 and argon? We don't need to keep backwards compatibility here so we can just force the more secure hashing algorithm.

Should we add some tool, either in the CLI or the admin page to generate these hashes? Or are we just going to instruct the users to do sudo apt install argon2; argon2 <your_password>?

[BlackDex]

Is there a particular reason to support both SHA512 and argon? We don't need to keep backwards compatibility here so we can just force the more secure hashing algorithm.

Should we add some tool, either in the CLI or the admin page to generate these hashes? Or are we just going to instruct the users to do sudo apt install argon2; argon2 <your_password>?

That is actually why i added the scrypt sha512. That can be done by openssl for example. Though it doesn't support custom iterations, while mkpasswd does.

OWASP says argon2 first, then scrypt, even before pbkdf2.

An other reasons is, that i don't know the impact of Argon2 on low grade hardware. While sha512 would be faster in those cases, and maybe less memory.

I don't want to add any extra binaries and dependencies into the container it self.

I was thinking about providing a cli option into Vaultwarden it self to generate a hash maybe. That shouldn't be to hard, and it's built-in without extra binaries, and should work on all environment's i think.

[JCBird1012]

If the server is to be expected to validate hashes and run Argon2 itself, I’d be mindful that some users run Vaultwarden in memory constrained environments (e.g. Raspberry Pis) - I’d say keeping SHA512 around for those users who may not have much memory leeway to run Argon2 is a good idea.

Above comment beat me by a minute.

[jjlin]

That is actually why i added the scrypt sha512. That can be done by openssl for example. Though it doesn't support custom iterations, while mkpasswd does.

OWASP says argon2 first, then scrypt, even before pbkdf2.

BTW, scrypt and "SHA-crypt" aren't the same thing, or even similar. scrypt is more comparable to Argon2, while "SHA-crypt" is comparable to the original/ancient Unix crypt algorithm (basically just replacing DES or MD5 with newer hash algorithms from the SHA family).

[BlackDex]

That is actually why i added the scrypt sha512. That can be done by openssl for example. Though it doesn't support custom iterations, while mkpasswd does.
OWASP says argon2 first, then scrypt, even before pbkdf2.

BTW, scrypt and "SHA-crypt" aren't the same thing, or even similar. scrypt is more comparable to Argon2, while "SHA-crypt" is comparable to the original/ancient Unix crypt algorithm (basically just replacing DES or MD5 with newer hash algorithms from the SHA family).

I think most, if not all Linux distros today use scrypt sha512 with the default 5000 rounds.

[jjlin]

I'm just trying to clarify that what you're calling "scrypt sha512" is not at all related to the scrypt that's recommended by OWASP.

From https://manpages.debian.org/unstable/libcrypt-dev/crypt.5.en.html, $6$ is sha512crypt (based on the old Unix crypt algorithm), and $7$ is scrypt (relatively recent design by Colin Percival).

[tessus]

I think most, if not all Linux distros today use scrypt sha512 with the default 5000 rounds.

Or yescrypt which is built upon scrypt and can do both algorithms.

[BlackDex]

I'm just trying to clarify that what you're calling "scrypt sha512" is not at all related to the scrypt that's recommended by OWASP.

From https://manpages.debian.org/unstable/libcrypt-dev/crypt.5.en.html, $6$ is sha512crypt (based on the old Unix crypt algorithm), and $7$ is scrypt (relatively recent design by Colin Percival).

Sorry, you are right.
Those are not related in any way indeed.

Still, to generate a sha512crypt with already installed tools on the OS is more likely then scrypt or yescrypt for example.

[stefan0xC]

I was thinking about providing a cli option into Vaultwarden it self to generate a hash maybe. That shouldn't be to hard, and it's built-in without extra binaries, and should work on all environment's i think.

Something like

diff --git a/src/main.rs b/src/main.rs
index cd17a2f5..f03d6f25 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -141,6 +141,17 @@ fn parse_args() {
     } else if pargs.contains(["-v", "--version"]) {
         println!("vaultwarden {version}");
         exit(0);
+    } else if let Ok(Some(p)) = pargs.opt_value_from_str::<&str, String>("--password") {
+        use argon2::{
+            password_hash::{rand_core::OsRng, SaltString},
+            PasswordHasher,
+        };
+        let salt = SaltString::generate(&mut OsRng);
+        let argon2 = argon2::Argon2::default();
+        if let Ok(password_hash) = argon2.hash_password(p.as_bytes(), &salt) {
+            println!("{password_hash}");
+        }
+        exit(0);
     }
 }

Then we would not need a dependency on sha-crypt? And users don't have to install argon2 (unless they want to mess with the default parameters).

Also we might want to consider deprecating (or removing) support for ADMIN_TOKEN in plain text so we don't store unhashed passwords.

[BlackDex]

Then we would not need a dependency on sha-crypt? And users don't have to install argon2 (unless they want to mess with the default parameters).

The sha-crypt is there because I know a lot of systems support generating these kind of PHC tokens out-of-the-box.
And for very low-grade hardware where Argon2 might be to much maybe.
This is also for stuff like automated deployments etc... Also, it is way better then the current plain/text we support right now.

Maybe adding PBKDF2 is also an option, because that is what we currently use already to hash the master-password-hash we receive from the Bitwarden clients. But as far as i can tell, there arn't any out-of-the-box tools to generate a PHC string for this. So that would mean we need to build that in into Vaultwarden to generate, and hence does not provide the easy tools as for sha512crypt

Adding the CLI option is nice if you already have Vaultwarden running or you can use docker run.
But if you want to prepare a PHC string upfront, a tool like openssl passwd or mkpasswd can be used.
For example, mkpasswd on Ubuntu 20.04 only supports sha512crypt as the most secure method.

Also we might want to consider deprecating (or removing) support for ADMIN_TOKEN in plain text so we don't store unhashed passwords.

I think it is too soon for deprecating/removing this since we have had this for a long time already. Removing this would break a lot of environments. We could however notify the users that they have a plain/text ADMIN_TOKEN and provide some documentation on how to generate a new one.

In the future it might be a nice thing to play with WASM and provide a way to generate this within the admin interface without sending the password plain/text (besides HTTPS) to the server for example to generate the PHC string.

[stefan0xC]

And for very low-grade hardware where Argon2 might be to much maybe.

Can the argon2 crate detect if a given hash does not meet it's runtime requirements? If so we should probably check that when parsing the config?

Adding such a check would make sense anyway so someone with an existing token that happens to start with $6$ will not be surprised either.

We could however notify the users that they have a plain/text ADMIN_TOKEN and provide some documentation on how to generate a new one.

Adding such a deprecation notice (in the Some(t) => case) to discourage the users is what I meant by deprecating.
edit: but it might make more sense to add such a notice when parsing the config.

In the future it might be a nice thing to play with WASM and provide a way to generate this within the admin interface without sending the password plain/text (besides HTTPS) to the server for example to generate the PHC string.

Good idea. Once we add support for hashed password's setting a password via the admin panel should probably not save the password in plaintext either.

[tessus]

Adding such a check would make sense anyway so someone with an existing token that happens to start with $6$ will not be surprised either.

$6$ is sha512

afaik the Linux hashing (sorry this is a misnomer, I rather meant the hash codes used in Linux/Unix) does not have a number or letter assigned for argon. The options in login.defs are MD5, SHA256, SHA512, BCRYPT, YESCRYPT, DES. The default on Fedora is yescrypt ($y$), the default on Debian is sha512 ($6$) and yescrypt is not yet available in Debian.

[BlackDex]

Before everything goes on and on regarding the hashing type to be selected.
I have thought about this a bit more and spoken with @dani-garcia about it, and we decided to not add sha512crypt, and just use Argon2. I will create an extra flag for Vaultwarden to be able to generate an acceptable hash.

[tessus]

In the future it might be a nice thing to play with WASM

I think the webclient uses WASM for argon. Should be possible to use as a template.

[stefan0xC]

Adding such a check would make sense anyway so someone with an existing token that happens to start with 6 will not be surprised either.

$6$ is sha512

A bit moot now but just to clarify: I was talking about the hypothetical case if my ADMIN_TOKEN would happen to be $6$abc123 then the suggested change would make the admin interface inaccessible because the check would run sha_crypt::sha512_check(token.trim(), t.trim()).is_ok(), which would presumably always fail.

[BlackDex]

I Think it should be almost finished. Want to do some testing on low-grade hardware.

Please provide your comments on the current state 😄 .

[tessus]

Generate an Argon2id PHC string using the 'bitwarden' preset:

Password:
Verifying - Password:
Passwords do not match

I would add a newline between Verifying and Passwords do not match.

Generate an Argon2id PHC string using the 'bitwarden' preset:

Password:
Verifying - Password:

ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$fOB3HJ7sDhWviGHa8/HkpxFXEmtkdtHRLh68ZyiRs6k$nq5B623SF5uGqYU0LzvaJ7ybsH2RBSclxZbQb3BmW64'

Generation of the Argon2id PHC string took: 186.600603ms

I'd remove the last empty line, after Generation of ...

[tessus]

Not sure, if this is necessary, but would it make sense to add a warning in the admin interface, if the token is not hashed?

[BlackDex]

Thanks for all the comments and suggestions.
Please take a look again, thanks!

[tessus]

Once last thing. ;-) Now there should be an empty line between the hash and the info message (makes it more legible and easier to copy and paste):

Generate an Argon2id PHC string using the 'bitwarden' preset:

Password:
Confirm Password:

ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$b1oYgp3jGHSD56xmm40PVdOT9VhZ0ds8OJ1FuJ/vfMg$/aFZBQ6Edqyi/wjklGP/TW6REAfjwWKu5c0XbP6PHiQ'
Generation of the Argon2id PHC string took: 173.168728ms

should be:

Generate an Argon2id PHC string using the 'bitwarden' preset:

Password:
Confirm Password:

ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$b1oYgp3jGHSD56xmm40PVdOT9VhZ0ds8OJ1FuJ/vfMg$/aFZBQ6Edqyi/wjklGP/TW6REAfjwWKu5c0XbP6PHiQ'

Generation of the Argon2id PHC string took: 173.168728ms

The empty line after Generation of ... was removed so that is great. 👍

Thanks for also fixing the other one I mentioned (password mismatch).

[tessus]

Works great. And thanks for the changes.