Re: [jira] Commented: (GERONIMO-411) Add Hash Password Rewrite to File Realm

[Dain Sundstrom]

I think we should have a gpasswd tool that can set a password, add  
accounts, remove them etc,  and it would work it all the realms we  
provide.  Basically PAM for G.

-dain
--
Dain Sundstrom
Chief Architect
Gluecode Software
310.536.8355, ext. 26
On Nov 1, 2004, at 10:41 AM, Aaron Mulder (JIRA) wrote:
     [  
http://nagoya.apache.org/jira/browse/GERONIMO-411? 
page=comments#action_54897 ]

Aaron Mulder commented on GERONIMO-411:
---------------------------------------
I don't like requiring entries to be hashed to begin with, because  
then you need to tool to edit the file.  In my experience, it's nicer  
to put plain text in the file and let the server replace that with the  
hashed version.

But... if we were not going to rewrite, but we still want hashes, then  
I think we need to provide a tool to add or update entries in the  
file, so you still get everything you need in the Geronimo download.   
Some products just have you use htpasswd, but I don't like that  
approach much (and I thought that used crypt instead of MD5 anyway,  
though I don't really know).

What is it about rewriting that bothers you?

Add Hash Password Rewrite to File Realm
---------------------------------------
         Key: GERONIMO-411
         URL: http://nagoya.apache.org/jira/browse/GERONIMO-411
     Project: Apache Geronimo
        Type: Improvement
  Components: security
    Versions: 1.0-M2
    Reporter: Aaron Mulder
    Priority: Minor

It would be nice if the properties file realm could rewrite your  
properties file with hashed passwords when it reads it.  We would  
need to be able to recognize hashed vs. unhashed entries and perhaps  
even different algorithms.  Perhaps it could go like this:
user1=plaintext
user2=MD5{...}
user3=SHA1{...}
Anyway, the idea is that this could be a reasonably secure  
alternative, but you still wouldn't need to manually hash things to  
add or update entries -- just put a plain text entry in and the next  
time the server reads the file it would hash it for you.
I guess we'd need to synchronize on the hash operation to avoid  
threading problems if multiple apps or whatever use the same  
properties file, but it shouldn't be bad if we only rewrite the file  
if we find any plain text entries.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira