directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRSERVER-1822) Same password can be used multiple times, when SSHA is used for password hash.
Date Thu, 11 Apr 2013 10:07:16 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-1822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13628807#comment-13628807
] 

Emmanuel Lecharny commented on DIRSERVER-1822:
----------------------------------------------

Actually, ApacheDS does not hash the password when received in clear text by default.

But if the Hash interceptor is enabled, then the password will be hashed, and salted if required.


We need to modify the way we check the password when a salted hash is used.
                
> Same password can be used multiple times, when SSHA is used for password hash.
> ------------------------------------------------------------------------------
>
>                 Key: DIRSERVER-1822
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1822
>             Project: Directory ApacheDS
>          Issue Type: Bug
>            Reporter: Peter Hmelak
>            Assignee: Kiran Ayyagari
>
> When using SSHA (salted SHA) for password hashing, no CONSTRAINT_VIOLATION (invalid reuse
of password present in password history) is thrown, if new password is the same as one already
in pwdHistory.
> I believe current implementation just compares new password hash, with with ones stored
in pwdHistory.
> And because of new salt, no two hashes are ever a-like, even though passwords are the
same.
> Suggestion for fix:
> *Every* salt stored in pwdHistory should be used, together with new password when creating
password hashes, that are then compared with ones already stored in pwdHistory.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message