manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aurélien MAZOYER <aurelien.mazo...@francelabs.com>
Subject Re: Store hash of MCF admin password
Date Fri, 22 Jul 2016 14:16:12 GMT
Hi Karl,

Thank you for your answer. I created the following issue for that : 
https://issues.apache.org/jira/browse/CONNECTORS-1327

Regards,

Aurélien

Le 22/07/2016 16:00, Karl Wright a écrit :
> Patches are welcome.  Please create a ticket and attach a patch that 
> does what you think the encryption ought to do.
>
> Karl
>
>
> On Fri, Jul 22, 2016 at 9:22 AM, Aurélien MAZOYER 
> <aurelien.mazoyer@francelabs.com 
> <mailto:aurelien.mazoyer@francelabs.com>> wrote:
>
>     Hi,
>
>     In order to try to improve security in MCF, I would like to be
>     able to store the password (that is currently hardcoded) used for
>     obfuscation in a specific configuration file. The aim of this
>     approach is to be able to change it but also to be able to add
>     specific linux access right on it. To do that, I think I need to
>     rewrite the Obfuscate file in the source code. Do you think this
>     approach is valid?
>
>     Regards,
>
>     Aurélien
>
>     Le 18/07/2016 14:50, Aurélien MAZOYER a écrit :
>>     Hi Konrad,
>>
>>     Thank you for your answer. It seems that the obfuscation tool
>>     uses a symmetric encoding with password and salt to
>>     obfuscate/deobfuscate passwords. I can see that there is a way to
>>     change the salt with a property, but it seems that the password
>>     is hardcoded in the source code. What is the best practice to use
>>     this obfuscation tool? Is it enough to change the salt in the
>>     property file?
>>
>>     Regards,
>>
>>     Aurélien
>>
>>     Le 18/07/2016 14:13, Konrad Holl a écrit :
>>>
>>>     Hi Aurélien,
>>>
>>>     try the obfuscate.[bat|sh] file in the obfuscation-utility
>>>     directory.
>>>
>>>     In property.xml you can use this obfuscated password instead:
>>>     org.apache.manifoldcf.login.password.obfuscated . See also
>>>     http://manifoldcf.apache.org/release/release-2.4/en_US/how-to-build-and-deploy.html
>>>
>>>     Hope that helps,
>>>
>>>     Konrad.
>>>
>>>     *From:*Aurélien MAZOYER [mailto:aurelien.mazoyer@francelabs.com]
>>>     *Sent:* Montag, 18. Juli 2016 13:31
>>>     *To:* user@manifoldcf.apache.org <mailto:user@manifoldcf.apache.org>
>>>     *Subject:* Store hash of MCF admin password
>>>
>>>     Hi all,
>>>
>>>     Is there a way to store a hash of the mcf admin password instead
>>>     of a clear password in the configuration file of MCF?
>>>
>>>     Regards,
>>>
>>>     Aurélien
>>>
>>
>
>


Mime
View raw message