tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: encrypting passwords in tomcat-users.xml
Date Thu, 23 Nov 2017 17:04:06 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Guy,

On 11/22/17 1:50 PM, Guy wrote:
> Maybe I should ask this in a different way: what are the steps to
> use encrypted passwords in tomcat-users.xml under Tomcat 8.0.14?

Note that the passwords aren't "encrypted" per se (that is, they are not
using reversible encryption), but they have been modified such that they
cannot be recovered. This is known as a "secure hash" -- even when it's
more complicated than that ... such as using PBKDF2, bcrypt, etc. They
are essentially the same basic idea, but the PBKDF2s of the world add a
bunch of other features to strengthen the key and add complexity to the
process to yield a higher-quality stored credential (the thing that you
put into the tomcat-users.xml file).

> I know what they are in Tomcat 8.0.37. They're both versions of 
> Tomcat 8.0.x, so why does something that works in one not work in
> the other? Does the server.xml configuration need to be different?
That depends upon what you want to do.

> Here are some specifics on how I'm running digest.sh.
> 
> As you will see, they are different. The newer version has more 
> arguments, and produces a different output, in the format 
> salt$iterations$digest.

Yes. This reflects the current default operation of digest.sh, but the
credential handlers ought to be backward-compatible so if you use a
digest with no salt and no iteration count, the newer version of Tomcat
should be able to use it without a problem. A salted, iterated hash is
more secure than one that isn't, which is why the default operation has
been changed.

> First, on Mac with apache-tomcat-8.0.37:
> 
> % ./digest.sh secret 
> secret:304fb189dd47d028f892f95a0d9a2c8d707b24d72474b62e78d30401a7cc05b
6$1$a299b9b24fdaf7219500ad39f21cea319fdce2a99d175c263ab16bd89c428ffdbafe
a125f9559a4be9081b5955c35574dae002fb2b32b1acccdef9c77a81fb2e

The
> 
version of Tomcat is significant, but the OS is not. This isn't a
Mac-vs-Linux thing.

> % ./digest.sh Usage: RealmBase [-a <algorithm>] [-e <encoding>] [-i
> <iterations>] [-s <salt-length>] [-k <key-length>] [-h
> <handler-class-name>] <credentials>
> 
> I believe this is defaulting to SHA-512 as per the docs and the
> fact that it worked when I configured the Realm to use SHA-512 with
> the CredentialHandler.

Right.

> Next, on Linux with apache-tomcat-8.0.14-1:
> 
> # ./digest.sh secret Usage: RealmBase -a <algorithm> [-e
> <encoding>] <credentials> # ./digest.sh -a SHA-512 secret 
> secret:bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d6
82ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2
>
> 
> 
> So, something in the underlying RealmBase class is different, and
> I can't get this output (or anything) to work on this server.
> There's also a warning in the log:
> 
> org.apache.tomcat.util.digester.Digester.endElement   No rules
> found matching
> 'Server/Service/Engine/Realm/Realm/CredentialHandler'.
> 
> which leads me to believe the server.xml configuration needs to be 
> different for this version too. However, none of this is indicated
> in the documentation. I'm at a complete loss.

Pluggable CredentialHandlers (and the significant upgrades to the
authentication system including support for salts and iterations for
"basic" crypto hashes) weren't added until Tomcat 8.0.15 [1], so you
won't be able to use those.

If you need to be able to use the same configuration for both Tomcat
8.0.14 and Tomcat 8.0.37, then you'll need to use the non-salted
non-iterated hashes supported by the older version. If you want to be
able to generate those hashes with Tomcat 8.0.37 and use them with
Tomcat 8.0.14, then you'll need to use some more command-like
arguments to generate a backward-compatible hash:

$ ./digest.sh -s 0 -i 1 secret
secret:bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682
ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2

If you set the salt-length to zero (bytes) and the iteration count to
1, you'll get a hash that matches what Tomcat 8.0.14 would have produced
.

Hope that helps,
- -chris


[1]
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.15_(ma
rkt)

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloW/4YACgkQHPApP6U8
pFhFtA/7BIJRqXRoc63Wn172BbcNvdp9ox2sJvB/PvSGObYKrpSjhg3gAYaVYUWc
IBDUH0oBG8d7RN1evSKDr1sMtqc5o0k1JJAxkNuUh1Dn1C2oCkuKw6e9XBZxu71S
Wkpskh3gHOrgEY6LLE2ui6ISDpAMU07+fl/Mu6bIUz7cI806MlAKmgLjCZRPTP5X
ol46NFDPz1B9CuC4Mfw6lmOlGASvKrNIfrBKA7fRh78tm4ZG7pLC4m0Ejl1QU/0S
0qHTmoTb78056QZKuVvKUPTzZSXa0WxxUZcjH7yX0XPGmgUwPzQbgvkc9tPgt/vo
bvUAudNlTdEKpHCFr5wugvdLH4YdcNqi/yIzdHEOdgh0+JSO0O+8PRBmoOpejmxo
w8UnTOXe8dcKbUnynKJrFKDBk36hqEZkSde9Cnki4MLmDTjRAZ4t+0Dbo6SaZAQp
OFir+4uM0JGfEG5b/AwK4yI4hIZ12JO9BDob7BLaTkIWHKVSBNL3IVg7RUOH0mKZ
C1W+HeS0aLbZF4S9WJ5IEbefWQ7ORZk5TtwUfM04+sPJs0PIRpo4yXkzAYC7AqOp
N7f4h1xa18puo6dm3rFzznmplYqchvuQLuGzas+7hrgZZBOCSXHGe7+oceso0U7N
dClxSowtGRzrWTd8g+djyfTOXyvxTibjdd+2NxIhQm5dYynoulA=
=gxmP
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message