db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-4483) Provide a way to change the hash algorithm used by BUILTIN authentication
Date Sat, 27 Feb 2010 10:06:05 GMT

    [ https://issues.apache.org/jira/browse/DERBY-4483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12839215#action_12839215

Knut Anders Hatlen commented on DERBY-4483:

Hi Bryan,

>> This means that a database may contain passwords that are hashed using different
> Can the Derby administrator or DBA tell that they are in this state? Is there a way to
> which user/passwords are hashed with which algorithm, during a situation in which my
database has
> such a mixture? 

If the DBA has a list of all users in the system, he could query the derby.user.* database
properties and look at their suffixes. For example:

ij> select name, substr(pw, length(pw) - 9, 10) from
> (select u, syscs_util.syscs_get_database_property(rtrim('derby.user.'||u))
> from (values 'knut', 'bryan', 'dag') v(u)) s(name, pw);
NAME |2         
knut |5de26b791b
dag  |a2:SHA-512

3 rows selected

Here, the user 'knut' has a password that's hashed with the old scheme (there's no algorithm
name in the suffix), 'bryan' has a password hashed with MD5, and 'dag' with SHA-512.

I don't think we currently have any way of listing all database properties, so the DBA must
know all users up front in order to perform this query. It might be useful (in a separate
JIRA) to add a new diagnostic table function to improve the monitoring capabilities. Then
we could simply have done something like this:

select * from table ( syscs_diag.database_properties('derby.user.%') ) p;

> Provide a way to change the hash algorithm used by BUILTIN authentication
> -------------------------------------------------------------------------
>                 Key: DERBY-4483
>                 URL: https://issues.apache.org/jira/browse/DERBY-4483
>             Project: Derby
>          Issue Type: Improvement
>          Components: Services
>    Affects Versions:
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>            Priority: Minor
>         Attachments: experiment.diff
> The BUILTIN authentication scheme protects the passwords by hashing them with the SHA-1
algorithm. It would be nice to have way to specify a different algorithm so that users can
take advantage of new, stronger algorithms provided by their JCE provider if so desired.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message