Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 17848 invoked from network); 31 Oct 2010 09:38:44 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 31 Oct 2010 09:38:44 -0000 Received: (qmail 62924 invoked by uid 500); 31 Oct 2010 09:38:44 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 62732 invoked by uid 500); 31 Oct 2010 09:38:41 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 62725 invoked by uid 99); 31 Oct 2010 09:38:40 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 31 Oct 2010 09:38:40 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.214.178] (HELO mail-iw0-f178.google.com) (209.85.214.178) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 31 Oct 2010 09:38:33 +0000 Received: by iwn1 with SMTP id 1so6456147iwn.37 for ; Sun, 31 Oct 2010 02:38:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.39.196 with SMTP id h4mr6180038ibe.35.1288517891344; Sun, 31 Oct 2010 02:38:11 -0700 (PDT) Sender: mail@stefan-seelmann.de Received: by 10.231.14.140 with HTTP; Sun, 31 Oct 2010 02:38:11 -0700 (PDT) In-Reply-To: References: Date: Sun, 31 Oct 2010 10:38:11 +0100 X-Google-Sender-Auth: D_uF2D4DSp8Lk2IIY__atP_7M-U Message-ID: Subject: Re: [ApacheDS] hashing passwords before storing From: Stefan Seelmann To: Apache Directory Developers List Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Hi Kiran, On Sun, Oct 31, 2010 at 8:49 AM, Kiran Ayyagari wrot= e: > =C2=A0hello dev, > > =C2=A0Currently we don't have a feature to automatically hash the passwor= ds before > =C2=A0storing them, I would like to propose that we should add this featu= re. > > =C2=A0I would like to add a new interceptor to support this feature: > > =C2=A0 1. It is easy to enable/disable without adding some more config op= tions > =C2=A0 =C2=A0 =C2=A0 to DirectoryService > =C2=A0 2. We can place at the appropriate position in the interceptor cha= in so that > =C2=A0 =C2=A0 =C2=A0 changelog and journals will also have the same passw= ord as the DIT > > =C2=A0We currently support the following hashing algorithms > =C2=A0 =C2=A0 =C2=A0 =C2=A0SHA, SSHA, MD5, SMD5, Crypt, SHA-2 (256, 384, = 512 along with their > =C2=A0 =C2=A0 =C2=A0 =C2=A0salted counterparts) > > =C2=A0Studio might need to change its 'password change' screen by adding = an option > =C2=A0to send the plain text password though the original password is has= hed. > =C2=A0(AFAIU currently studio hashes on the client side and sends) > > =C2=A0thoughts? Is this related to the password policies? I think to check the quality of passwords it is required to send them in plain text, right? In that case it would be nice to be able to hash the password on the server side, so +1 form my side. If we place that interceptor after the KeyDerivationInterceptor it would also solve the issue that the user password is stored in plain text when setting up a Kerberos server. I just wonder if we should have a separate interceptor or if the server-side hashing should be implemented in the password policy interceptor. Kind Regards, Stefan