directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <seelm...@apache.org>
Subject Re: [ApacheDS] hashing passwords before storing
Date Sun, 31 Oct 2010 09:38:11 GMT
Hi Kiran,

On Sun, Oct 31, 2010 at 8:49 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:
>  hello dev,
>
>  Currently we don't have a feature to automatically hash the passwords before
>  storing them, I would like to propose that we should add this feature.
>
>  I would like to add a new interceptor to support this feature:
>
>   1. It is easy to enable/disable without adding some more config options
>       to DirectoryService
>   2. We can place at the appropriate position in the interceptor chain so that
>       changelog and journals will also have the same password as the DIT
>
>  We currently support the following hashing algorithms
>        SHA, SSHA, MD5, SMD5, Crypt, SHA-2 (256, 384, 512 along with their
>        salted counterparts)
>
>  Studio might need to change its 'password change' screen by adding an option
>  to send the plain text password though the original password is hashed.
>  (AFAIU currently studio hashes on the client side and sends)
>
>  thoughts?

Is this related to the password policies? I think to check the quality
of passwords it is required to send them in plain text, right? In that
case it would be nice to be able to hash the password on the server
side, so +1 form my side.

If we place that interceptor after the KeyDerivationInterceptor it
would also solve the issue that the user password is stored in plain
text when setting up a Kerberos server.

I just wonder if we should have a separate interceptor or if the
server-side hashing should be implemented in the password policy
interceptor.

Kind Regards,
Stefan

Mime
View raw message