Return-Path: <users-return-263243-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 85C0A200D41
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 22 Nov 2017 11:44:30 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 84366160BFD; Wed, 22 Nov 2017 10:44:30 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id C9703160BDA
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 22 Nov 2017 11:44:29 +0100 (CET)
Received: (qmail 1478 invoked by uid 500); 22 Nov 2017 10:44:28 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 1467 invoked by uid 99); 22 Nov 2017 10:44:28 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Nov 2017 10:44:28 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 515411A19D4
	for <users@tomcat.apache.org>; Wed, 22 Nov 2017 10:44:27 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Level: 
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	KAM_LOTSOFHASH=0.25, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id RUVHpXpTcaOD for <users@tomcat.apache.org>;
	Wed, 22 Nov 2017 10:44:25 +0000 (UTC)
Received: from mail-wr0-f175.google.com (mail-wr0-f175.google.com [209.85.128.175])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 0576E60D12
	for <users@tomcat.apache.org>; Wed, 22 Nov 2017 10:44:25 +0000 (UTC)
Received: by mail-wr0-f175.google.com with SMTP id s41so8651025wrc.7
        for <users@tomcat.apache.org>; Wed, 22 Nov 2017 02:44:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=OyvG2juC4gTfA0FdyhSFEiOVqYQkhiAuJJmOpVqfrsg=;
        b=BI6u4HRqTs9tY/iulHTVkUQw8nF5/C+4bUmBhkFbZUIeAh9Yuj0b69GbQEiivz/5eN
         uaftvpwAgwnz+23Sw3DPvzwfVsXYz6+jfyGH/sXs2Y/6T6nZ8JZa7Xp3hpTooYW0ZGk7
         7usPFAKtLwGBGK6IS1Pm08OuoZeVgY0VutJ9gp//8xpkCHHhbA32vtwvXL5GOgJkib9a
         H3g8ss2LMf+s7aGAQuQxWolaiDrRLkQh/ZKKSqdhnD1c16/2l4H089TM7yMpdY/n3OYu
         Hznhha/0QhGc7AJD65ytcyrRaZ3TyaYg9gX0DW56lBYKcKlJTK/IYnOBCpuXHqJTTmW5
         vAMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=OyvG2juC4gTfA0FdyhSFEiOVqYQkhiAuJJmOpVqfrsg=;
        b=eIkNSxCXP5zTolZ/rEBjO8+vmraqHDwHhHKnnvsvOo+b5sF1NwVZN2R9q6jPBfPyGE
         KbnYg7OcWMoONyrYk8FLqVYlnwVqhSZzLP+TEN0ERRg9Gz+uC/YRmS4Y3ZaOkaJO2NQR
         Zqe0E61Mb07jahtxmpc24jtWdnkt0OoHnRi7E3kdrTSU4PLxQyEkffU20MWmS9zScviA
         ez+8BH3ozoBAyFNfo2WXoImd25jIzZdR5yM8szAxBqu4qOD0jfbqni4Pinabe1kYdzs/
         dhkrNlcL7bgZVMCSJ8j4Bobw+//GuIHKd08inIcUK4WHRrToTUelj58LbYj0/qlfGnOb
         1/4g==
X-Gm-Message-State: AJaThX5Uj9RGKlODFDolD0aWjRF8xnPLgDztaEcvVt/GU774hfD+CVnr
	Nlo8yt/i6q0BVY6Kt7YLmi30ZcSC8y6ADHjcM9v3QQ==
X-Google-Smtp-Source: AGs4zMbIDimPboLKbzCyJXTwSgngv3AOBFee6+kDKva4eFM+wQzSLLpZSc0tsRmMDQTGXJianIma7KqCQ4iGmtSJ6bE=
X-Received: by 10.223.168.35 with SMTP id l32mr15988334wrc.261.1511347464375;
 Wed, 22 Nov 2017 02:44:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.128.174 with HTTP; Wed, 22 Nov 2017 02:43:43 -0800 (PST)
From: Dimas Souza <dimasfs@gmail.com>
Date: Wed, 22 Nov 2017 11:43:43 +0100
Message-ID: <CAFM_hE2SSUrb+1dM1Pynomv0xm3uYBBxWo96HacwqjxKOZj9gA@mail.gmail.com>
Subject: users-thread.12345@tomcat.apache.org
To: users@tomcat.apache.org
Content-Type: text/plain; charset="UTF-8"
archived-at: Wed, 22 Nov 2017 10:44:30 -0000

Hi Christopher,

I've been trying to figure out this issues as well, thank you for
your answer, it has clarified some questions of my own.

I still have a question about your answer though, see below:

On 11/20/17 10:53 PM, Christopher Schultz wrote:

>Guy,
>
>On 11/20/17 1:23 PM, Guy Mac wrote:
>> I'm failing to figure out how to encrypt passwords for (slightly)
>> different versions of Tomcat 8.0.x on different platforms.
>
>Some background: older versions of Tomcat only supported single-round
>hashing such as MD5, SHA-1, SHA-256, etc. and the newer versions
>support many more options including pluggable modules to do whatever
>you want. Most people will be able to use the baked-in modules to get
>what they want, but you can build your own if you need something special
>.
>
>> With Tomcat 8.0.37 on MacOS, I run digest.sh with a password,
>> placing the output in tomcat-users
>
>Specifically, how do you run this?
>
>> , and update the Realm for the Catalina engine to: <Realm
>> className="org.apache.catalina.realm.LockOutRealm"> <Realm
>> className="org.apache.catalina.realm.UserDatabaseRealm"
>> resourceName="UserDatabase"> <CredentialHandler
>> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
>>
>>
>algorithm="SHA-512"/>
>> </Realm> </Realm>
>>
>> and that all works just fine.
>
>Good.
>
>> But when I try to repeat the steps for Tomcat 8.0.14-1 on Linux
>> (Debian), it does not work. How do I encrypt passwords for this
>> version of Tomcat?
>
>The process should should be the same, and the hash should be the same
>no matter what what version of Tomcat you use to produce it, and no
>matter what platform you use.
>
>From a Tomcat 7.0.x install:
>
>$ $CATALINA_HOME/bin/digest.sh -a SHA-512 's3cret'
>s3cret:1ec1c26b50d5d3c58d9583181af8076655fe00756bf7285940ba3670f99fcba0
>
>[Note that if you put that on the command-line it will be in your
>shell's history for anyone to see. Try using a leading space character
>to keep some shells from keeping the command in the history.]
>
>From a Tomcat 8.0.x install:
>$ $CATALINA_HOME/bin/digest.sh -a SHA-256 s3cret
>s3cret:46e78df675f5842ebca3f67679a3ce14fd3ddb08727feacba84935f58914d49b$
>1$4e72031fe6f751d3b2390cd494971b8bf27cccf41f5ea8d7f56272f15b091207
>
>Wait, what?! It turns out that Tomcat 8.0.x uses a salted, iterated
>hash by default and so you get (a) more protection and (b) more stuff
>coming out.
>
>If you want to get the same thing you got from Tomcat 7.0.x, you'll
>need some additional command-line arguments:
>
>$ $CATALINA_HOME/bin/digest.sh -a SHA-256 -i 1 -s 0 s3cret
>s3cret:1ec1c26b50d5d3c58d9583181af8076655fe00756bf7285940ba3670f99fcba0
>
>This is true of Tomcat 8.5.x and Tomcat 9.0.x as well.


Since you had to put some more arguments to generate the digest, are they also
necessary on the server.xml file?

>Hope that helps,
>-chris

Thanks in advance,
-Dimas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org