-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Guy,
On 11/20/17 1:23 PM, Guy Mac wrote: > I'm failing to figure out how to encrypt passwords for (slightly) > different versions of Tomcat 8.0.x on different platforms. Some background: older versions of Tomcat only supported single-round hashing such as MD5, SHA-1, SHA-256, etc. and the newer versions support many more options including pluggable modules to do whatever you want. Most people will be able to use the baked-in modules to get what they want, but you can build your own if you need something special . > With Tomcat 8.0.37 on MacOS, I run digest.sh with a password, > placing the output in tomcat-users Specifically, how do you run this? > , and update the Realm for the Catalina engine to: <Realm > className="org.apache.catalina.realm.LockOutRealm"> <Realm > className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"> <CredentialHandler > className="org.apache.catalina.realm.MessageDigestCredentialHandler" > > algorithm="SHA-512"/> > </Realm> </Realm> > > and that all works just fine. Good. > But when I try to repeat the steps for Tomcat 8.0.14-1 on Linux > (Debian), it does not work. How do I encrypt passwords for this > version of Tomcat? The process should should be the same, and the hash should be the same no matter what what version of Tomcat you use to produce it, and no matter what platform you use. - From a Tomcat 7.0.x install: $ $CATALINA_HOME/bin/digest.sh -a SHA-512 's3cret' s3cret:1ec1c26b50d5d3c58d9583181af8076655fe00756bf7285940ba3670f99fcba0 [Note that if you put that on the command-line it will be in your shell's history for anyone to see. Try using a leading space character to keep some shells from keeping the command in the history.] - From a Tomcat 8.0.x install: $ $CATALINA_HOME/bin/digest.sh -a SHA-256 s3cret s3cret:46e78df675f5842ebca3f67679a3ce14fd3ddb08727feacba84935f58914d49b$ 1$4e72031fe6f751d3b2390cd494971b8bf27cccf41f5ea8d7f56272f15b091207 Wait, what?! It turns out that Tomcat 8.0.x uses a salted, iterated hash by default and so you get (a) more protection and (b) more stuff coming out. If you want to get the same thing you got from Tomcat 7.0.x, you'll need some additional command-line arguments: $ $CATALINA_HOME/bin/digest.sh -a SHA-256 -i 1 -s 0 s3cret s3cret:1ec1c26b50d5d3c58d9583181af8076655fe00756bf7285940ba3670f99fcba0 This is true of Tomcat 8.5.x and Tomcat 9.0.x as well. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloTTrIdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFifYQ/+L8MPYoTQDLmFOnJF uQHnuB8HPJZjde9jCCx4cGsnPFiMUk9aiefqNwAskyl4AhJt/AStSW2kEHUf483O UxBsfAcgzuwxeUFiJGzIRKgzX7ziAgBrKisGM5hBDmu3NYwtIdkKWpwrPLhm9fsy YPzj9Xo/iTDXvEA2fjlNvHuGMfNNruYL/dxfLmCeWfQrQ4eZIU3j/nAouvhXP3YY +x076mU700+A7MgLt4xJXVthyvCZbxWF7LspSA5J9L3/05KUWOoR25xjJ84dX3g2 laR9q8GE8Y4+LvU5zJpgZ2sHsFaVpqksoU2lD8p4tQsOix3XILt7+/oBlipil4mG k9FI17e3AQH9LqAajzPwU6QFKxIRsAoS4BS3fWc80f4O7np9ouqZ3Dwa62ctLG+Z PBx4ra1BNoBPkmetGzHE1bFzn5hQf+0Lrq0XXt/cp5Uyqk/0123YtEvpc6J0T+YC 3gNAJyYHOvf6TBASFN8ve5fBesL1g7X5Qtk4IOu/C4vWEK+Tu02b3ewNPX/rMCGX Pf9JiBxqA4qGhN0pNyygxM7rlAoo5bdcPwxd+pFDmnYtPbw6QGpRrnyUVuuqOhVS WxB5FwJhXkjv4cMKkw0bgEcBvdzJOZumfMQh0SRsHJz0JhjeYuJJ8qpXZ13Ab7lt iRkZejsgB1R37ufhutqOoOpbLN4= =T2tz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org