Re: Securing Manager Role
hi, looks like you're stuck with your kshell. how about specifying canonical path to your java executable, e.g. /opt/bin/java? or if you're under some unix environment like FreeBSD, you can just use 'md5' or 'sha1' provided by system: % sha1 -s 'passphrase here' it will produce the same result for you. On 10/27/05, Nehal Sangoi [EMAIL PROTECTED] wrote: Hi, I modified my server.xml as follows. Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase digest=SHA1/ Also, downloaded commons-logging-20051027.tar.gz and untarred the same. Later i tried giving below command : $ java -classpath $CATALINA_HOME/server/lib/catalina.jar:/opt/commons-logging/commons- logging.jar org.apache.catalina.realm.RealmBase -a sha1 manager But recd. following error : ksh: syntax error: `newline or ;' unexpected Please help doing this successfully. Thanks, Nehal -- Regards, Charlie
RE: Securing Manager Role
Hi, I could do it successfully yesterday. The right commandline in as follows. $ java -classpath $CATALINA_HOME/server/lib/catalina.jar:/opt/commons-logging/commons- logging.jar org.apache.catalina.realm.RealmBase -a sha1 manager Thank You so much for providing this solution. Regds, Nehal -Original Message- From: Charlie C.L. King [mailto:[EMAIL PROTECTED] Sent: Thursday, October 27, 2005 8:12 PM To: Tomcat Users List; [EMAIL PROTECTED] Subject: Re: Securing Manager Role hi, looks like you're stuck with your kshell. how about specifying canonical path to your java executable, e.g. /opt/bin/java? or if you're under some unix environment like FreeBSD, you can just use 'md5' or 'sha1' provided by system: % sha1 -s 'passphrase here' it will produce the same result for you. On 10/27/05, Nehal Sangoi [EMAIL PROTECTED] wrote: Hi, I modified my server.xml as follows. Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase digest=SHA1/ Also, downloaded commons-logging-20051027.tar.gz and untarred the same. Later i tried giving below command : $ java -classpath $CATALINA_HOME/server/lib/catalina.jar:/opt/commons-logging/commons- logging.jar org.apache.catalina.realm.RealmBase -a sha1 manager But recd. following error : ksh: syntax error: `newline or ;' unexpected Please help doing this successfully. Thanks, Nehal -- Regards, Charlie - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Securing Manager Role
Is there any way for associating unix user manager to tomcat's manager rols and have encrypted password? -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 26, 2005 2:14 AM To: 'Tomcat Users List'; [EMAIL PROTECTED] Subject: RE: Securing Manager Role This is not supported because there is simply no point. If someone can read the tomcat-users.xml file then they almost certainly own the server and you have bigger problems than someone having access to the manager app. Consider if the password was encrypted, where is the decryption key stored? There is no point putting it in the Tomcat code since it is open source (and even if it wasn't it would still be bad security). You could put it in a separate file, but if an attacker can read tomcat-users.xml, there is no reason to suppose they won't be able to read the file with the key. Mark -Original Message- From: Nehal Sangoi [mailto:[EMAIL PROTECTED] Sent: Monday, October 24, 2005 10:05 AM To: 'Tomcat Users List' Subject: Securing Manager Role Hi, How can i encrypt the manager user's password in tomcat-users.xml file? I need to keep manager-deployer thing be secured in my environment. Thanks Regards, Nehal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Securing Manager Role
Sorry, as has been pointed out my response isn't correct. Digesting the passwords is supported - see the docs. Where encrypting passwords is not supported is for external resources such as databases. Mark -Original Message- From: Mark Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 25, 2005 9:44 PM To: 'Tomcat Users List'; [EMAIL PROTECTED] Subject: RE: Securing Manager Role This is not supported because there is simply no point. If someone can read the tomcat-users.xml file then they almost certainly own the server and you have bigger problems than someone having access to the manager app. Consider if the password was encrypted, where is the decryption key stored? There is no point putting it in the Tomcat code since it is open source (and even if it wasn't it would still be bad security). You could put it in a separate file, but if an attacker can read tomcat-users.xml, there is no reason to suppose they won't be able to read the file with the key. Mark -Original Message- From: Nehal Sangoi [mailto:[EMAIL PROTECTED] Sent: Monday, October 24, 2005 10:05 AM To: 'Tomcat Users List' Subject: Securing Manager Role Hi, How can i encrypt the manager user's password in tomcat-users.xml file? I need to keep manager-deployer thing be secured in my environment. Thanks Regards, Nehal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Securing Manager Role
This is not supported because there is simply no point. If someone can read the tomcat-users.xml file then they almost certainly own the server and you have bigger problems than someone having access to the manager app. Consider if the password was encrypted, where is the decryption key stored? There is no point putting it in the Tomcat code since it is open source (and even if it wasn't it would still be bad security). You could put it in a separate file, but if an attacker can read tomcat-users.xml, there is no reason to suppose they won't be able to read the file with the key. Mark -Original Message- From: Nehal Sangoi [mailto:[EMAIL PROTECTED] Sent: Monday, October 24, 2005 10:05 AM To: 'Tomcat Users List' Subject: Securing Manager Role Hi, How can i encrypt the manager user's password in tomcat-users.xml file? I need to keep manager-deployer thing be secured in my environment. Thanks Regards, Nehal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]