Hm, why introduce a new password hash format. Just use modular crypt() format (and iterations). This allows to use common tools (like htpasswd) to generate the hashes. It would use $5$ prefix for SHA256 but actually I would use $6$ for iterated SHA512 as it is the default on most recent Linux distributions.
Gruss Bernd -- http://bernd.eckenfels.net ________________________________ From: serviceability-dev <serviceability-dev-boun...@openjdk.java.net> on behalf of Harsha Wardhana B <harsha.wardhan...@oracle.com> Sent: Sunday, April 23, 2017 12:20:57 PM To: serviceability-dev@openjdk.java.net Subject: RFE Review : JDK-5016517 - Replace plaintext passwords by hashed passwords for out-of-the-box JMX Agent Hi All, Please review this enhancement to replace plain-text password for JMX agent with SHA-256 hash. Issue: https://bugs.openjdk.java.net/browse/JDK-5016517 <https://bugs.openjdk.java.net/browse/JDK-5016517> webrev: http://cr.openjdk.java.net/~hb/5016517/webrev.00/ Overview of implementation: Currently, the JMX agent password file used to authenticate user, stores user name and password as clear text. Though system level restrictions are recommended for jmx password file, passwords are vulnerable since they are stored in clear. The current RFE proposes to store passwords as SHA256 hash instead of clear text. In current implementation, if password file is writable, and if passwords are in clear, they will be replaced by SHA256 hash upon agent boot-up or when login attempt is made. The file, src/jdk.management.agent/share/conf/jmxremote.password.template contains more details about the implementation. - Harsha
