Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
Reply-To: user@geronimo.apache.org
Received-SPF: pass (herse.apache.org: local policy)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Received:X-YMail-OSG:Mime-Version:In-Reply-To:References:Content-Type:Message-Id:Content-Transfer-Encoding:From:Subject:Date:To:X-Mailer;
  b=e5pAXH+A4oCwwvP/LVUY0PIKIEVbF/lht+QhaFFWDBOCFLwiKnQ361pNyUxYe7G5ZKxAK7RfbqweYCOh3m0px/DTpIFVH80lZ6MmZLm3v+nsQ57RgITqdlhq6kQVt/suZQFt3Dja21Y85CSaglbAuWGWuoXmN9VAs2ENtEVg44g=
  ;
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: 
 <OF336CB9BD.EBF29E1E-ON8525728A.004D3E72-8525728A.004E0295@mxi.com>
References: 
 <OF336CB9BD.EBF29E1E-ON8525728A.004D3E72-8525728A.004E0295@mxi.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <8691E275-3109-4C21-BAC9-93608AA8F7B6@yahoo.com>
Content-Transfer-Encoding: 7bit
From: David Jencks <david_jencks@yahoo.com>
Subject: Re: Plaintext passwords in Geronimo plans and config files
Date: Thu, 22 Feb 2007 09:01:11 -0800
To: user@geronimo.apache.org


On Feb 22, 2007, at 6:12 AM, Aman Nanner/MxI Technologies wrote:

>
> Hi,
>
> I have noticed that passwords in plans and configuration files in  
> Geronimo
> (1.2-beta) are not encrypted by the server, and remain in  
> plaintext.  For
> example, passwords in:
>
> 1) Datasource connector plans
> 2) ActiveMQ connector plans
> 3) TomcatWebSSL Keystore passwords
> 4) Geronimo properties realm passwords
>
> Having these plaintext passwords in these configuration files pose an
> inherent security risk that would prevent us from deploying  
> Geronimo out to
> customer sites.  Are there any plans to have all these passwords  
> encrypted?

1-3 of these are in module plans, which are unneeded after the module  
has been deployed into  a car file.  So, don't distribute the plans  
but the car files.

For (4), I'd suggest you use a non-toy authentication method such as  
ldap.  Properties file based authentication is mainly intended for  
experimentation.

You can probably figure out how to extract passwords from the car  
files if you work hard enough.  However, if you think this is a  
problem I'd like to remind you that security against someone with  
physical access to a machine or complete file system access is pretty  
much impossible: look at the recent HDDVD crack.  In other words, if  
you distribute software to customer machines, you should assume that  
if they really want to they can extract any passwords you try to hide  
in the software.

I've wondered if it would be appropriate to provide a mode whereby  
you need a password to start geronimo or you supply a command line  
password to unlock the keystores on startup, but haven't got much  
beyond wondering if it would actually provide any additional security  
beyond that available on a properly secured server.

thanks
david jencks


>
> Thanks,
> Aman
>
> ______________________________________________________________________ 
> ____________
> * This message is intended only for the use of the individual or  
> entity to which it is addressed, and may contain information that  
> is privileged, confidential and exempt from disclosure under  
> applicable law. Unless you are the addressee (or authorized to  
> receive for the addressee), you may not use, copy or disclose the  
> message or any information contained in the message. If you have  
> received this message in error, please advise the sender by reply e- 
> mail , and delete the message, or call (collect) 001 613 747 4698. *
>