diff --git a/Dockerfile b/Dockerfile index f32ad39fd..e9e465ad4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # ======================================= # ===== Build image for the backend ===== # ======================================= -FROM golang:1.13.6-alpine AS builder-backend +FROM golang:1.14.0-alpine AS builder-backend ARG BUILD_TAG ARG BUILD_COMMIT diff --git a/Dockerfile.arm32v7 b/Dockerfile.arm32v7 index 7280abbaa..16c3572ef 100644 --- a/Dockerfile.arm32v7 +++ b/Dockerfile.arm32v7 @@ -1,7 +1,7 @@ # ======================================= # ===== Build image for the backend ===== # ======================================= -FROM golang:1.13-alpine AS builder-backend +FROM golang:1.14.0-alpine AS builder-backend ARG BUILD_TAG ARG BUILD_COMMIT diff --git a/Dockerfile.arm64v8 b/Dockerfile.arm64v8 index 914fa80cc..da0e27daa 100644 --- a/Dockerfile.arm64v8 +++ b/Dockerfile.arm64v8 @@ -1,7 +1,7 @@ # ======================================= # ===== Build image for the backend ===== # ======================================= -FROM golang:1.13-alpine AS builder-backend +FROM golang:1.14.0-alpine AS builder-backend ARG BUILD_TAG ARG BUILD_COMMIT diff --git a/cmd/authelia-scripts/cmd_docker.go b/cmd/authelia-scripts/cmd_docker.go index fd28bddb8..5d5de8314 100644 --- a/cmd/authelia-scripts/cmd_docker.go +++ b/cmd/authelia-scripts/cmd_docker.go @@ -44,7 +44,7 @@ func dockerBuildOfficialImage(arch string) error { // Set default Architecture Dockerfile to amd64 dockerfile := "Dockerfile" // Set version of QEMU - qemuversion := "v4.2.0-4" + qemuversion := "v4.2.0-6" // If not the default value if arch != defaultArch { diff --git a/config.template.yml b/config.template.yml index fd4dfd297..6cdb1c5d5 100644 --- a/config.template.yml +++ b/config.template.yml @@ -110,7 +110,7 @@ authentication_backend: ## iterations: 1 ## key_length: 32 ## salt_length: 16 - ## memory: ‭1048576‬ + ## memory: 1024 ## parallelism: 8 # Access Control # diff --git a/docs/configuration/authentication/file.md b/docs/configuration/authentication/file.md index 8424b2972..e98c3aebe 100644 --- a/docs/configuration/authentication/file.md +++ b/docs/configuration/authentication/file.md @@ -28,45 +28,44 @@ file in the configuration file. ### Password hashing configuration settings - #### algorithm +#### algorithm - Value Type: String - Possible Value: `argon2id` and `sha512` - Recommended: `argon2id` - What it Does: Changes the hashing algorithm - - #### iterations + +#### iterations - Value Type: Int - Possible Value: `1` or higher for argon2id and `1000` or higher for sha512 (will automatically be set to `1000` on lower settings) - Recommended: `1` for the `argon2id` algorithm and `50000` for `sha512` - What it Does: Adjusts the number of times we run the password through the hashing algorithm - - #### key_length + +#### key_length - Value Type: Int - Possible Value: `16` or higher. - Recommended: `32` or higher. - What it Does: Adjusts the length of the actual hash - - #### salt_length + +#### salt_length - Value Type: Int - Possible Value: between `2` and `16` - Recommended: `16` - What it Does: Adjusts the length of the random salt we add to the password, there is no reason not to set this to 16 - - #### parallelism + +#### parallelism - Value Type: Int - Possible Value: `1` or higher - Recommended: `8` or twice your CPU cores - What it Does: Sets the number of threads used for hashing - - #### memory + +#### memory - Value Type: Int - Possible Value: at least `8` times the value of `parallelism` - Recommended: `1024‬‬` (1GB) or as much RAM as you can afford to give to hashing - What it Does: Sets the amount of RAM used in MB for hashing - - + #### Examples for specific systems These examples have been tested against a single system to make sure they roughly take @@ -113,6 +112,7 @@ The format of the users file is as follows. This file should be set with read/write permissions as it could be updated by users resetting their passwords. + ## Passwords The file contains hashed passwords instead of plain text passwords for security reasons. @@ -162,24 +162,24 @@ brute-forced. Hashes are identifiable as argon2id or SHA512 by their prefix of either `$argon2id$` and `$6$` respectively, as described in this [wiki page](https://en.wikipedia.org/wiki/Crypt_(C)). + +### Password hash algorithm tuning - ### Password hash algorithm tuning +All algorithm tuning is supported for Argon2id. The only configuration variables that affect +SHA512 are iterations and salt length. The configuration variables are unique to the file +authentication provider, thus they all exist in a key under the file authentication configuration +key called `password_hashing`. We have set what are considered as sane and recommended defaults +to cater for a reasonable system, if you're unsure about which settings to tune, please see the +parameters above, or for a more in depth understanding see the referenced documentation. - All algorithm tuning is supported for Argon2id. The only configuration variables that affect - SHA512 are iterations and salt length. The configuration variables are unique to the file - authentication provider, thus they all exist in a key under the file authentication configuration - key called `password_hashing`. We have set what are considered as sane and recommended defaults - to cater for a reasonable system, if you're unsure about which settings to tune, please see the - parameters above, or for a more in depth understanding see the referenced documentation. +#### Argon2 Links +[How to choose the right parameters for Argon2] - #### Argon2 Links - [How to choose the right parameters for Argon2] +[How to choose the right parameters for Argon2](https://www.twelve21.io/how-to-choose-the-right-parameters-for-argon2/) - [How to choose the right parameters for Argon2](https://www.twelve21.io/how-to-choose-the-right-parameters-for-argon2/) +[Go Documentation](https://godoc.org/golang.org/x/crypto/argon2) - [Go Documentation](https://godoc.org/golang.org/x/crypto/argon2) - - [IETF Draft](https://tools.ietf.org/id/draft-irtf-cfrg-argon2-09.html) +[IETF Draft](https://tools.ietf.org/id/draft-irtf-cfrg-argon2-09.html) [How to choose the right parameters for Argon2]: https://www.twelve21.io/how-to-choose-the-right-parameters-for-argon2/ \ No newline at end of file diff --git a/internal/suites/example/compose/authelia/Dockerfile.backend b/internal/suites/example/compose/authelia/Dockerfile.backend index 0be55c9a5..617921ad8 100644 --- a/internal/suites/example/compose/authelia/Dockerfile.backend +++ b/internal/suites/example/compose/authelia/Dockerfile.backend @@ -1,4 +1,4 @@ -FROM golang:1.13-alpine +FROM golang:1.14.0-alpine ARG USER_ID ARG GROUP_ID