syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: [DISCUSS] - Change default password algorithm for 2.1.0
Date Fri, 14 Jul 2017 12:03:51 GMT
Well I guess the difference between the two cases is that for SYNCOPE-1119
we need to have some (default) values in security.properties to get Syncope
to start properly (hence logging if the default values are detected).
Whereas for Encryptor, it has the default key hard-coded into the class. It
seems reasonable to me that it should error if the relevant property is not
read in from security.properties.

If you are ok with switching to SSHA256 for 2.1.0 I'll create a JIRA....

Colm.

On Fri, Jul 14, 2017 at 12:09 PM, Francesco Chicchiriccò <
ilgrosso@apache.org> wrote:

> On 14/07/2017 11:54, Colm O hEigeartaigh wrote:
>
>> OK thanks. Well I'd say that "SSHA256" would be best, WDYT?
>>
>> BTW I'm a bit dubious about "SECRET_KEY = DEFAULT_SECRET_KEY;" in
>> Encryptor. If SECRET_KEY is null we should probably throw an exception...
>>
>
> We recently took a different approach for default admin password, default
> JWS key, etc
>
> https://issues.apache.org/jira/browse/SYNCOPE-1119
>
> No?
>
>
> On Fri, Jul 14, 2017 at 10:48 AM, Francesco Chicchiriccò <
>> ilgrosso@apache.org> wrote:
>>
>> On 14/07/2017 11:45, Colm O hEigeartaigh wrote:
>>>
>>> How does the salt configuration work for "SSHA256"? Is it stored in
>>>> security.properties?
>>>>
>>>> Password values are encrypted by
>>>
>>> https://github.com/apache/syncope/blob/master/core/spring/
>>> src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
>>>
>>> with configuration from security.properties
>>>
>>> Regards.
>>>
>>> On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò <
>>>
>>>> ilgrosso@apache.org> wrote:
>>>>
>>>> On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
>>>>
>>>>> I guess SHA-256 would be a straightforward replacement. Maybe we should
>>>>>
>>>>>> instead move to a salted hash though?
>>>>>>
>>>>>> Well, just set your preference among
>>>>>>
>>>>> https://github.com/apache/syncope/blob/master/common/lib/
>>>>> src/main/java/org/apache/syncope/common/lib/types/CipherAlgorithm.java
>>>>>
>>>>> :-)
>>>>>
>>>>> Regards.
>>>>>
>>>>>
>>>>> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <
>>>>>
>>>>> ilgrosso@apache.org> wrote:
>>>>>>
>>>>>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> Should we change the default password algorithm from SHA1 for 2.1.0?
>>>>>>> It's
>>>>>>>
>>>>>>> probably time to migrate from SHA1 IMO.
>>>>>>>>
>>>>>>>> Makes sense.
>>>>>>>>
>>>>>>>> The only problem I could see if when pulling hashed password
values
>>>>>>> from
>>>>>>> LDAP, where SHA1 is still quite common. Not a big deal, anyway.
>>>>>>>
>>>>>>> Which algorithm do you propose?
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message