185 lines
7.1 KiB
Markdown
185 lines
7.1 KiB
Markdown
---
|
||
layout: default
|
||
title: File
|
||
parent: Authentication backends
|
||
grand_parent: Configuration
|
||
nav_order: 1
|
||
---
|
||
|
||
# File
|
||
|
||
**Authelia** supports a file as a users database.
|
||
|
||
## Configuration
|
||
|
||
Configuring Authelia to use a file is done by specifying the path to the
|
||
file in the configuration file.
|
||
|
||
authentication_backend:
|
||
file:
|
||
path: /var/lib/authelia/users.yml
|
||
password_hashing:
|
||
algorithm: argon2id
|
||
iterations: 1
|
||
salt_length: 16
|
||
parallelism: 8
|
||
memory: 1024
|
||
|
||
|
||
### Password hashing configuration settings
|
||
|
||
#### algorithm
|
||
- Value Type: String
|
||
- Possible Value: `argon2id` and `sha512`
|
||
- Recommended: `argon2id`
|
||
- What it Does: Changes the hashing algorithm
|
||
|
||
#### iterations
|
||
- Value Type: Int
|
||
- Possible Value: `1` or higher for argon2id and `1000` or higher for sha512
|
||
(will automatically be set to `1000` on lower settings)
|
||
- Recommended: `1` for the `argon2id` algorithm and `50000` for `sha512`
|
||
- What it Does: Adjusts the number of times we run the password through the hashing algorithm
|
||
|
||
#### key_length
|
||
- Value Type: Int
|
||
- Possible Value: `16` or higher.
|
||
- Recommended: `32` or higher.
|
||
- What it Does: Adjusts the length of the actual hash
|
||
|
||
#### salt_length
|
||
- Value Type: Int
|
||
- Possible Value: between `2` and `16`
|
||
- Recommended: `16`
|
||
- What it Does: Adjusts the length of the random salt we add to the password, there
|
||
is no reason not to set this to 16
|
||
|
||
#### parallelism
|
||
- Value Type: Int
|
||
- Possible Value: `1` or higher
|
||
- Recommended: `8` or twice your CPU cores
|
||
- What it Does: Sets the number of threads used for hashing
|
||
|
||
#### memory
|
||
- Value Type: Int
|
||
- Possible Value: at least `8` times the value of `parallelism`
|
||
- Recommended: `1024` (1GB) or as much RAM as you can afford to give to hashing
|
||
- What it Does: Sets the amount of RAM used in MB for hashing
|
||
|
||
#### Examples for specific systems
|
||
|
||
These examples have been tested against a single system to make sure they roughly take
|
||
0.5 seconds each. Your results may vary depending on individual specification and
|
||
utilization, but they are a good guide to get started. You should however read
|
||
[How to choose the right parameters for Argon2].
|
||
|
||
| System |Iterations|Parallelism|Memory |
|
||
|:------------: |:--------:|:---------:|:-----:|
|
||
|Raspberry Pi 2 | 1 | 8 | 64 |
|
||
|Raspberry Pi 3 | 1 | 8 | 128 |
|
||
|Raspberry Pi 4 | 1 | 8 | 128 |
|
||
|Intel G5 i5 NUC| 1 | 8 | 1024 |
|
||
|
||
|
||
## Format
|
||
|
||
The format of the users file is as follows.
|
||
|
||
users:
|
||
john:
|
||
password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM"
|
||
email: john.doe@authelia.com
|
||
groups:
|
||
- admins
|
||
- dev
|
||
|
||
harry:
|
||
password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM"
|
||
email: harry.potter@authelia.com
|
||
groups: []
|
||
|
||
bob:
|
||
password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM"
|
||
email: bob.dylan@authelia.com
|
||
groups:
|
||
- dev
|
||
|
||
james:
|
||
password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM"
|
||
email: james.dean@authelia.com
|
||
|
||
|
||
This file should be set with read/write permissions as it could be updated by users
|
||
resetting their passwords.
|
||
|
||
|
||
## Passwords
|
||
|
||
The file contains hashed passwords instead of plain text passwords for security reasons.
|
||
|
||
You can use Authelia binary or docker image to generate the hash of any password. The
|
||
hash-password command has many tunable options, you can view them with the
|
||
`authelia hash-password --help` command. For example if you wanted to improve the entropy
|
||
you could generate a 16 byte salt and provide it with the `--salt` flag.
|
||
Example: `authelia hash-password --salt abcdefghijklhijl`. For argon2id the salt must
|
||
always be valid for base64 decoding (characters a through z, A through Z, 0 through 9, and +/).
|
||
|
||
For instance to generate a hash with the docker image just run:
|
||
|
||
$ docker run authelia/authelia:latest authelia hash-password yourpassword
|
||
$ Password hash: $argon2id$v=19$m=65536$3oc26byQuSkQqksq$zM1QiTvVPrMfV6BVLs2t4gM+af5IN7euO0VB6+Q8ZFs
|
||
|
||
Full CLI Help Documentation:
|
||
|
||
```
|
||
Hash a password to be used in file-based users database. Default algorithm is argon2id.
|
||
|
||
Usage:
|
||
authelia hash-password [password] [flags]
|
||
|
||
Flags:
|
||
-h, --help help for hash-password
|
||
-i, --iterations int set the number of hashing iterations (default 1)
|
||
-k, --key-length int [argon2id] set the key length param (default 32)
|
||
-m, --memory int [argon2id] set the amount of memory param (in MB) (default 1024)
|
||
-p, --parallelism int [argon2id] set the parallelism param (default 8)
|
||
-s, --salt string set the salt string
|
||
-l, --salt-length int set the auto-generated salt length (default 16)
|
||
-z, --sha512 use sha512 as the algorithm (defaults iterations to 50000, change with -i)
|
||
```
|
||
|
||
## Password hash algorithm
|
||
The default hash algorithm is salted Argon2id version 19. Argon2id is currently considered
|
||
the best hashing algorithm, and in 2015 won the
|
||
[Password Hashing Competition](https://en.wikipedia.org/wiki/Password_Hashing_Competition).
|
||
It benefits from customizable parameters allowing the cost of computing a hash to scale
|
||
into the future which makes it harder to brute-force. Argon2id was implemented due to community
|
||
feedback as you can see in this closed [issue](https://github.com/authelia/authelia/issues/577).
|
||
|
||
Additionally SHA512 is supported for backwards compatibility and user choice. While it's a reasonable
|
||
hash function given high enough iterations, as hardware gets better it has a higher chance of being
|
||
brute-forced.
|
||
|
||
Hashes are identifiable as argon2id or SHA512 by their prefix of either `$argon2id$` and `$6$`
|
||
respectively, as described in this [wiki page](https://en.wikipedia.org/wiki/Crypt_(C)).
|
||
|
||
### Password hash algorithm tuning
|
||
|
||
All algorithm tuning is supported for Argon2id. The only configuration variables that affect
|
||
SHA512 are iterations and salt length. The configuration variables are unique to the file
|
||
authentication provider, thus they all exist in a key under the file authentication configuration
|
||
key called `password_hashing`. We have set what are considered as sane and recommended defaults
|
||
to cater for a reasonable system, if you're unsure about which settings to tune, please see the
|
||
parameters above, or for a more in depth understanding see the referenced documentation.
|
||
|
||
#### Argon2 Links
|
||
[How to choose the right parameters for Argon2]
|
||
|
||
[How to choose the right parameters for Argon2](https://www.twelve21.io/how-to-choose-the-right-parameters-for-argon2/)
|
||
|
||
[Go Documentation](https://godoc.org/golang.org/x/crypto/argon2)
|
||
|
||
[IETF Draft](https://tools.ietf.org/id/draft-irtf-cfrg-argon2-09.html)
|
||
|
||
|
||
[How to choose the right parameters for Argon2]: https://www.twelve21.io/how-to-choose-the-right-parameters-for-argon2/ |