On Fri, Jul 14, 2017 at 1:14 PM, Francesco Chicchiriccò <ilgro...@apache.org > wrote:
> Well, the default jwKey is hard-coded in > > https://github.com/apache/syncope/blob/master/core/spring/ > src/main/java/org/apache/syncope/core/spring/security/D > efaultCredentialChecker.java#L31 > > no? > Sure, but that's only used to check that the default value in security.properties has been changed. The value in Encryptor is actually used for encryption if the property does not appear in security.properties at all. I'm just wondering if we need to support this use-case, it seems reasonable to error if the property is not there, and then this default value could be removed from Encryptor? Not a big deal either way though :-) Colm. > > If you are ok with switching to SSHA256 for 2.1.0 I'll create a JIRA.... >> > > Sure, please go ahead. > > > Regards. > > On Fri, Jul 14, 2017 at 12:09 PM, Francesco Chicchiriccò < >> ilgro...@apache.org> wrote: >> >> On 14/07/2017 11:54, Colm O hEigeartaigh wrote: >>> >>> OK thanks. Well I'd say that "SSHA256" would be best, WDYT? >>>> >>>> BTW I'm a bit dubious about "SECRET_KEY = DEFAULT_SECRET_KEY;" in >>>> Encryptor. If SECRET_KEY is null we should probably throw an >>>> exception... >>>> >>>> We recently took a different approach for default admin password, >>> default >>> JWS key, etc >>> >>> https://issues.apache.org/jira/browse/SYNCOPE-1119 >>> >>> No? >>> >>> >>> On Fri, Jul 14, 2017 at 10:48 AM, Francesco Chicchiriccò < >>> >>>> ilgro...@apache.org> wrote: >>>> >>>> On 14/07/2017 11:45, Colm O hEigeartaigh wrote: >>>> >>>>> How does the salt configuration work for "SSHA256"? Is it stored in >>>>> >>>>>> security.properties? >>>>>> >>>>>> Password values are encrypted by >>>>>> >>>>> https://github.com/apache/syncope/blob/master/core/spring/ >>>>> src/main/java/org/apache/syncope/core/spring/security/Encryptor.java >>>>> >>>>> with configuration from security.properties >>>>> >>>>> Regards. >>>>> >>>>> On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò < >>>>> >>>>> ilgro...@apache.org> wrote: >>>>>> >>>>>> On 14/07/2017 11:40, Colm O hEigeartaigh wrote: >>>>>> >>>>>> I guess SHA-256 would be a straightforward replacement. Maybe we >>>>>>> should >>>>>>> >>>>>>> instead move to a salted hash though? >>>>>>>> >>>>>>>> Well, just set your preference among >>>>>>>> >>>>>>>> https://github.com/apache/syncope/blob/master/common/lib/ >>>>>>> src/main/java/org/apache/syncope/common/lib/types/CipherAlgo >>>>>>> rithm.java >>>>>>> >>>>>>> :-) >>>>>>> >>>>>>> Regards. >>>>>>> >>>>>>> >>>>>>> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò < >>>>>>> >>>>>>> ilgro...@apache.org> wrote: >>>>>>> >>>>>>>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote: >>>>>>>> >>>>>>>> Should we change the default password algorithm from SHA1 for 2.1.0? >>>>>>>> >>>>>>>>> It's >>>>>>>>> >>>>>>>>> probably time to migrate from SHA1 IMO. >>>>>>>>> >>>>>>>>>> Makes sense. >>>>>>>>>> >>>>>>>>>> The only problem I could see if when pulling hashed password >>>>>>>>>> values >>>>>>>>>> >>>>>>>>> from >>>>>>>>> LDAP, where SHA1 is still quite common. Not a big deal, anyway. >>>>>>>>> >>>>>>>>> Which algorithm do you propose? >>>>>>>>> >>>>>>>>> Regards. >>>>>>>>> >>>>>>>> > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
