tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: encrypting passwords in tomcat-users.xml
Date Thu, 23 Nov 2017 05:27:47 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dimas,

On 11/22/17 5:52 AM, Dimas Souza wrote:
> Hi Christopher,
> 
> I've been trying to figure out this issues as well, thank you for 
> your answer, it has clarified some questions of my own.
> 
> I still have a question about your answer though, see below:
> 
> On 11/20/17 10:53 PM, Christopher Schultz wrote:
> 
>> Guy,
>> 
>> On 11/20/17 1:23 PM, Guy Mac wrote:
>>> I'm failing to figure out how to encrypt passwords for
>>> (slightly) different versions of Tomcat 8.0.x on different
>>> platforms.
>> 
>> Some background: older versions of Tomcat only supported
>> single-round hashing such as MD5, SHA-1, SHA-256, etc. and the
>> newer versions support many more options including pluggable
>> modules to do whatever you want. Most people will be able to use
>> the baked-in modules to get what they want, but you can build
>> your own if you need something special .
>> 
>>> With Tomcat 8.0.37 on MacOS, I run digest.sh with a password, 
>>> placing the output in tomcat-users
>> 
>> Specifically, how do you run this?
>> 
>>> , and update the Realm for the Catalina engine to: <Realm 
>>> className="org.apache.catalina.realm.LockOutRealm"> <Realm 
>>> className="org.apache.catalina.realm.UserDatabaseRealm" 
>>> resourceName="UserDatabase"> <CredentialHandler 
>>> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
>>>
>>>
>>
>>> 
algorithm="SHA-512"/>
>>> </Realm> </Realm>
>>> 
>>> and that all works just fine.
>> 
>> Good.
>> 
>>> But when I try to repeat the steps for Tomcat 8.0.14-1 on
>>> Linux (Debian), it does not work. How do I encrypt passwords
>>> for this version of Tomcat?
>> 
>> The process should should be the same, and the hash should be the
>> same no matter what what version of Tomcat you use to produce it,
>> and no matter what platform you use.
>> 
>> From a Tomcat 7.0.x install:
>> 
>> $ $CATALINA_HOME/bin/digest.sh -a SHA-512 's3cret' 
>> s3cret:1ec1c26b50d5d3c58d9583181af8076655fe00756bf7285940ba3670f99fcb
a0
>>
>>
>> 
[Note that if you put that on the command-line it will be in your
>> shell's history for anyone to see. Try using a leading space
>> character to keep some shells from keeping the command in the
>> history.]
>> 
>> From a Tomcat 8.0.x install: $ $CATALINA_HOME/bin/digest.sh -a
>> SHA-256 s3cret 
>> s3cret:46e78df675f5842ebca3f67679a3ce14fd3ddb08727feacba84935f58914d4
9b$
>>
>> 
1$4e72031fe6f751d3b2390cd494971b8bf27cccf41f5ea8d7f56272f15b091207
>> 
>> Wait, what?! It turns out that Tomcat 8.0.x uses a salted,
>> iterated hash by default and so you get (a) more protection and
>> (b) more stuff coming out.
>> 
>> If you want to get the same thing you got from Tomcat 7.0.x,
>> you'll need some additional command-line arguments:
>> 
>> $ $CATALINA_HOME/bin/digest.sh -a SHA-256 -i 1 -s 0 s3cret 
>> s3cret:1ec1c26b50d5d3c58d9583181af8076655fe00756bf7285940ba3670f99fcb
a0
>>
>>
>> 
This is true of Tomcat 8.5.x and Tomcat 9.0.x as well.
> 
> Since you had to put some more arguments to generate the digest,
> are they also necessary on the server.xml file?

That depends upon what specifically you are trying to do. If you
expect to use Tomcat 8.0.x or later and don't have to support an older
version, then I'd recommend using PBKDF2 as your algorithm and simply
sticking with that.

If you have an existing user database, then it's possible to use the
existing algorithm alongside of a better one (such as salted/iterated
SHA-2 or PBKDF2). Have a look at this presentation for some details:
http://people.apache.org/~schultz/ApacheCon%20NA%202017/Seamless%20Upgra
des%20for%20Credential%20Security%20in%20Apache%20Tomcat.pdf

You can find that presentation linked from the Tomcat Presentations page
:
http://tomcat.apache.org/presentations.html

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloWXFIACgkQHPApP6U8
pFiTDQ/8CrcaIFMJoTwc+nreVs4+vCxmIWrs90YnsvTxGngIGWtaOgjKQ/hFOBPr
Fj3r1WvNz0+QUMps7VeqhiHff9IBSEjc8q3lnscTh3nmSo9APSKPknFqpafFAVus
+i4qvv1E/xPi4XcyVe/MGirN5u9F8kV3nNvs4Aao9DrnS3uMymK1hk9hUI7h6zRi
R9CPYYudFnITD0UB4/mAPG6HdixZ+HzAZgxSkwNXFRzitJSthlim6MorqAw0v8eX
RzHNpOioMQxReSrxwNWnD+FvtLLeE1CJ4v897Mvwi82PIufZ6ZHodiZdzmHzTnyp
YOpFVCYJXK5bVzJQEybx7ZWUNgyfXmW7ANkqq6TN4jIytfYE9vEchp4OCdJ1cCPP
0fGs98FghCWAxk8aJx3y9mYIsYnmFH5+TaMNshQ82ZxEvB6MyhdpTjr4NXWdH3WK
1qa3CjYI8S50i9wgCphcT9rGHC8MOsQB5o8+VzerP3wQpP213Sc7sPRtGAIm9xgh
ysTIzxFvFJBWAS3rvYuXcYn6POtXfMtqploeQFCPDY6wRQ12MYnsopCUaJRpZOVm
a0TV95NpralpsKevzm+ua5+0+XqvP5gPLMjXPhzewZOmpirvnSSHDqQN9BLIdzJ8
6XyomfCvwVQdIhXjCJJF/+5u9iMqV4lJ692d5Mk3usIpkYckwoc=
=BZ8+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message