On Wed, Apr 5, 2023 at 4:03 AM Cedric Biedermann <[email protected]> wrote: > > Hi, > > to mitigate data breaches I want to encrypt the connection passwords in the > database with a key. > To insert the encrypted passwords is kind of easy with the api. My problem is > now that I dont find the code where I have to decrypt the passwords before > they are send to the connection.
And this is exactly the reason why we've always come back around to not supporting encryption of the passwords within the database - because such an encryption would necessarily have to be reversible, which makes the overall value of it fairly low. If you're that concerned about it, then maybe don't store passwords in the database at all - either use tokens and link to the user's login, or use the key vault support that has been recently added. > I am a kind of lost in the whole code right now, can you tell me the file/ > function where the password is selected from the database? If you're looking for one specific bit of code that says "Read password from database," you won't find it. A password for a connection is going to be stored in the database as a connection parameter, alongside any of the other connection parameters (hostname/IP, port, username, domain, etc.). There is a single table that contains all of these, so the code is going to read *all* of the connection parameters. This is made a little more complicated by the fact that we leverage the MyBatis code that helps abstract the Java classes from the individual database implementations, which means we write less code when implementing additional database modules. So, the base classes for connection parameters are: https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionParameterMapper.java https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ConnectionParameterModel.java And, individual database implementations (via MyBatis) are found here: https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionParameterMapper.xml https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-postgresql/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionParameterMapper.xml https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-sqlserver/src/main/resources/org/apache/guacamole/auth/jdbc/connection/ConnectionParameterMapper.xml But, again, all of the parameters, including passwords for the connections, are pulled with the same code at the same time, which means, if you're dead set on implementing (reversible) encryption for passwords, you're going to have to put some type of detection in the code to either do something special with any parameter called/containing "password", or some sort of prefix on the parameter value that tells you that it is encrypted - or both. Neither of these are impossible or even particularly difficult to do, but I'm not sure the value is all that high. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
