syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: [DISCUSS] - Change default password algorithm for 2.1.0
Date Fri, 14 Jul 2017 14:52:48 GMT
On Fri, Jul 14, 2017 at 1:14 PM, Francesco Chicchiriccò <ilgrosso@apache.org
> wrote:


> Well, the default jwKey is hard-coded in
>
> https://github.com/apache/syncope/blob/master/core/spring/
> src/main/java/org/apache/syncope/core/spring/security/D
> efaultCredentialChecker.java#L31
>
> no?
>

Sure, but that's only used to check that the default value in
security.properties has been changed. The value in Encryptor is actually
used for encryption if the property does not appear in security.properties
at all. I'm just wondering if we need to support this use-case, it seems
reasonable to error if the property is not there, and then this default
value could be removed from Encryptor? Not a big deal either way though :-)

Colm.



>
> If you are ok with switching to SSHA256 for 2.1.0 I'll create a JIRA....
>>
>
> Sure, please go ahead.
>
>
> Regards.
>
> On Fri, Jul 14, 2017 at 12:09 PM, Francesco Chicchiriccò <
>> ilgrosso@apache.org> wrote:
>>
>> On 14/07/2017 11:54, Colm O hEigeartaigh wrote:
>>>
>>> OK thanks. Well I'd say that "SSHA256" would be best, WDYT?
>>>>
>>>> BTW I'm a bit dubious about "SECRET_KEY = DEFAULT_SECRET_KEY;" in
>>>> Encryptor. If SECRET_KEY is null we should probably throw an
>>>> exception...
>>>>
>>>> We recently took a different approach for default admin password,
>>> default
>>> JWS key, etc
>>>
>>> https://issues.apache.org/jira/browse/SYNCOPE-1119
>>>
>>> No?
>>>
>>>
>>> On Fri, Jul 14, 2017 at 10:48 AM, Francesco Chicchiriccò <
>>>
>>>> ilgrosso@apache.org> wrote:
>>>>
>>>> On 14/07/2017 11:45, Colm O hEigeartaigh wrote:
>>>>
>>>>> How does the salt configuration work for "SSHA256"? Is it stored in
>>>>>
>>>>>> security.properties?
>>>>>>
>>>>>> Password values are encrypted by
>>>>>>
>>>>> https://github.com/apache/syncope/blob/master/core/spring/
>>>>> src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
>>>>>
>>>>> with configuration from security.properties
>>>>>
>>>>> Regards.
>>>>>
>>>>> On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò <
>>>>>
>>>>> ilgrosso@apache.org> wrote:
>>>>>>
>>>>>> On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> I guess SHA-256 would be a straightforward replacement. Maybe we
>>>>>>> should
>>>>>>>
>>>>>>> instead move to a salted hash though?
>>>>>>>>
>>>>>>>> Well, just set your preference among
>>>>>>>>
>>>>>>>> https://github.com/apache/syncope/blob/master/common/lib/
>>>>>>> src/main/java/org/apache/syncope/common/lib/types/CipherAlgo
>>>>>>> rithm.java
>>>>>>>
>>>>>>> :-)
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <
>>>>>>>
>>>>>>> ilgrosso@apache.org> wrote:
>>>>>>>
>>>>>>>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> Should we change the default password algorithm from SHA1
for 2.1.0?
>>>>>>>>
>>>>>>>>> It's
>>>>>>>>>
>>>>>>>>> probably time to migrate from SHA1 IMO.
>>>>>>>>>
>>>>>>>>>> Makes sense.
>>>>>>>>>>
>>>>>>>>>> The only problem I could see if when pulling hashed
password
>>>>>>>>>> values
>>>>>>>>>>
>>>>>>>>> from
>>>>>>>>> LDAP, where SHA1 is still quite common. Not a big deal,
anyway.
>>>>>>>>>
>>>>>>>>> Which algorithm do you propose?
>>>>>>>>>
>>>>>>>>> Regards.
>>>>>>>>>
>>>>>>>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message