Hi,
In order to try to improve security in MCF, I would like to be able to
store the password (that is currently hardcoded) used for obfuscation in
a specific configuration file. The aim of this approach is to be able to
change it but also to be able to add specific linux access right on it.
To do that, I think I need to rewrite the Obfuscate file in the source
code. Do you think this approach is valid?
Regards,
Aurélien
Le 18/07/2016 14:50, Aurélien MAZOYER a écrit :
Hi Konrad,
Thank you for your answer. It seems that the obfuscation tool uses a
symmetric encoding with password and salt to obfuscate/deobfuscate
passwords. I can see that there is a way to change the salt with a
property, but it seems that the password is hardcoded in the source
code. What is the best practice to use this obfuscation tool? Is it
enough to change the salt in the property file?
Regards,
Aurélien
Le 18/07/2016 14:13, Konrad Holl a écrit :
Hi Aurélien,
try the obfuscate.[bat|sh] file in the obfuscation-utility directory.
In property.xml you can use this obfuscated password instead:
org.apache.manifoldcf.login.password.obfuscated . See also
http://manifoldcf.apache.org/release/release-2.4/en_US/how-to-build-and-deploy.html
Hope that helps,
Konrad.
*From:*Aurélien MAZOYER [mailto:[email protected]]
*Sent:* Montag, 18. Juli 2016 13:31
*To:* [email protected]
*Subject:* Store hash of MCF admin password
Hi all,
Is there a way to store a hash of the mcf admin password instead of a
clear password in the configuration file of MCF?
Regards,
Aurélien
