Rob Godfrey created QPID-6993:
---------------------------------
Summary: [Java Broker] Improve security of SCAM-* authentication
managers by not storing the salted passwords
Key: QPID-6993
URL: https://issues.apache.org/jira/browse/QPID-6993
Project: Qpid
Issue Type: Improvement
Components: Java Broker
Reporter: Rob Godfrey
Assignee: Rob Godfrey
Fix For: qpid-java-6.1
Currently the SCRAM-* authentication managers store the salted hashed password.
If this information is somehow leaked then the possesor of the information
could use this value to log in to the broker without knowing the plain test
password.
We can change the storage mechanism to store instead the "storedKey" and
"serverKey" which will not allow the possesor of the leaked configuration to
authenticate - they will need to know either the plain text password or the
hashed slated password - which cannot be recovered from the password file.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
