Store hash of MCF admin password

[Aurélien MAZOYER <au...@francelabs.com>]

Hi all,

Is there a way to store a hash of the mcf admin password instead of a 
clear password in the configuration file of MCF?

Regards,

Aur�lien

Re: Store hash of MCF admin password

[Aurélien MAZOYER <au...@francelabs.com>]

Hi Karl,

Thank you for your answer. I created the following issue for that : 
https://issues.apache.org/jira/browse/CONNECTORS-1327

Regards,

Aur�lien

Le 22/07/2016 16:00, Karl Wright a �crit :
> Patches are welcome.  Please create a ticket and attach a patch that 
> does what you think the encryption ought to do.
>
> Karl
>
>
> On Fri, Jul 22, 2016 at 9:22 AM, Aur�lien MAZOYER 
> <aurelien.mazoyer@francelabs.com 
> <ma...@francelabs.com>> wrote:
>
>     Hi,
>
>     In order to try to improve security in MCF, I would like to be
>     able to store the password (that is currently hardcoded) used for
>     obfuscation in a specific configuration file. The aim of this
>     approach is to be able to change it but also to be able to add
>     specific linux access right on it. To do that, I think I need to
>     rewrite the Obfuscate file in the source code. Do you think this
>     approach is valid?
>
>     Regards,
>
>     Aur�lien
>
>     Le 18/07/2016 14:50, Aur�lien MAZOYER a �crit :
>>     Hi Konrad,
>>
>>     Thank you for your answer. It seems that the obfuscation tool
>>     uses a symmetric encoding with password and salt to
>>     obfuscate/deobfuscate passwords. I can see that there is a way to
>>     change the salt with a property, but it seems that the password
>>     is hardcoded in the source code. What is the best practice to use
>>     this obfuscation tool? Is it enough to change the salt in the
>>     property file?
>>
>>     Regards,
>>
>>     Aur�lien
>>
>>     Le 18/07/2016 14:13, Konrad Holl a �crit :
>>>
>>>     Hi Aur�lien,
>>>
>>>     try the obfuscate.[bat|sh] file in the obfuscation-utility
>>>     directory.
>>>
>>>     In property.xml you can use this obfuscated password instead:
>>>     org.apache.manifoldcf.login.password.obfuscated . See also
>>>     http://manifoldcf.apache.org/release/release-2.4/en_US/how-to-build-and-deploy.html
>>>
>>>     Hope that helps,
>>>
>>>     Konrad.
>>>
>>>     *From:*Aur�lien MAZOYER [mailto:aurelien.mazoyer@francelabs.com]
>>>     *Sent:* Montag, 18. Juli 2016 13:31
>>>     *To:* user@manifoldcf.apache.org <ma...@manifoldcf.apache.org>
>>>     *Subject:* Store hash of MCF admin password
>>>
>>>     Hi all,
>>>
>>>     Is there a way to store a hash of the mcf admin password instead
>>>     of a clear password in the configuration file of MCF?
>>>
>>>     Regards,
>>>
>>>     Aur�lien
>>>
>>
>
>

Re: Store hash of MCF admin password

[Karl Wright <da...@gmail.com>]

Patches are welcome.  Please create a ticket and attach a patch that does
what you think the encryption ought to do.

Karl


On Fri, Jul 22, 2016 at 9:22 AM, Aurélien MAZOYER <
aurelien.mazoyer@francelabs.com> wrote:

> Hi,
>
> In order to try to improve security in MCF, I would like to be able to
> store the password (that is currently hardcoded) used for obfuscation in a
> specific configuration file. The aim of this approach is to be able to
> change it but also to be able to add specific linux access right on it. To
> do that, I think I need to rewrite the Obfuscate file in the source code.
> Do you think this approach is valid?
>
> Regards,
>
> Aurélien
>
> Le 18/07/2016 14:50, Aurélien MAZOYER a écrit :
>
> Hi Konrad,
>
> Thank you for your answer. It seems that the obfuscation tool uses a
> symmetric encoding with password and salt to obfuscate/deobfuscate
> passwords. I can see that there is a way to change the salt with a
> property, but it seems that the password is hardcoded in the source code.
> What is the best practice to use this obfuscation tool? Is it enough to
> change the salt in the property file?
>
> Regards,
>
> Aurélien
>
> Le 18/07/2016 14:13, Konrad Holl a écrit :
>
> Hi Aurélien,
>
>
>
> try the obfuscate.[bat|sh] file in the obfuscation-utility directory.
>
>
>
> In property.xml you can use this obfuscated password instead:
> org.apache.manifoldcf.login.password.obfuscated . See also
> http://manifoldcf.apache.org/release/release-2.4/en_US/how-to-build-and-deploy.html
>
>
>
> Hope that helps,
>
>
>
> Konrad.
>
>
>
> *From:* Aurélien MAZOYER [ <au...@francelabs.com>
> mailto:aurelien.mazoyer@francelabs.com <au...@francelabs.com>]
> *Sent:* Montag, 18. Juli 2016 13:31
> *To:* user@manifoldcf.apache.org
> *Subject:* Store hash of MCF admin password
>
>
>
> Hi all,
>
> Is there a way to store a hash of the mcf admin password instead of a
> clear password in the configuration file of MCF?
>
> Regards,
>
> Aurélien
>
>
>
>

Re: Store hash of MCF admin password

[Aurélien MAZOYER <au...@francelabs.com>]

Hi,

In order to try to improve security in MCF, I would like to be able to 
store the password (that is currently hardcoded) used for obfuscation in 
a specific configuration file. The aim of this approach is to be able to 
change it but also to be able to add specific linux access right on it. 
To do that, I think I need to rewrite the Obfuscate file in the source 
code. Do you think this approach is valid?

Regards,

Aur�lien

Le 18/07/2016 14:50, Aur�lien MAZOYER a �crit :
> Hi Konrad,
>
> Thank you for your answer. It seems that the obfuscation tool uses a 
> symmetric encoding with password and salt to obfuscate/deobfuscate 
> passwords. I can see that there is a way to change the salt with a 
> property, but it seems that the password is hardcoded in the source 
> code. What is the best practice to use this obfuscation tool? Is it 
> enough to change the salt in the property file?
>
> Regards,
>
> Aur�lien
>
> Le 18/07/2016 14:13, Konrad Holl a �crit :
>>
>> Hi Aur�lien,
>>
>> try the obfuscate.[bat|sh] file in the obfuscation-utility directory.
>>
>> In property.xml you can use this obfuscated password instead: 
>> org.apache.manifoldcf.login.password.obfuscated . See also 
>> http://manifoldcf.apache.org/release/release-2.4/en_US/how-to-build-and-deploy.html
>>
>> Hope that helps,
>>
>> Konrad.
>>
>> *From:*Aur�lien MAZOYER [mailto:aurelien.mazoyer@francelabs.com]
>> *Sent:* Montag, 18. Juli 2016 13:31
>> *To:* user@manifoldcf.apache.org
>> *Subject:* Store hash of MCF admin password
>>
>> Hi all,
>>
>> Is there a way to store a hash of the mcf admin password instead of a 
>> clear password in the configuration file of MCF?
>>
>> Regards,
>>
>> Aur�lien
>>
>

Re: Store hash of MCF admin password

[Aurélien MAZOYER <au...@francelabs.com>]

Hi Konrad,

Thank you for your answer. It seems that the obfuscation tool uses a 
symmetric encoding with password and salt to obfuscate/deobfuscate 
passwords. I can see that there is a way to change the salt with a 
property, but it seems that the password is hardcoded in the source 
code. What is the best practice to use this obfuscation tool? Is it 
enough to change the salt in the property file?

Regards,

Aur�lien

Le 18/07/2016 14:13, Konrad Holl a �crit :
>
> Hi Aur�lien,
>
> try the obfuscate.[bat|sh] file in the obfuscation-utility directory.
>
> In property.xml you can use this obfuscated password instead: 
> org.apache.manifoldcf.login.password.obfuscated . See also 
> http://manifoldcf.apache.org/release/release-2.4/en_US/how-to-build-and-deploy.html
>
> Hope that helps,
>
> Konrad.
>
> *From:*Aur�lien MAZOYER [mailto:aurelien.mazoyer@francelabs.com]
> *Sent:* Montag, 18. Juli 2016 13:31
> *To:* user@manifoldcf.apache.org
> *Subject:* Store hash of MCF admin password
>
> Hi all,
>
> Is there a way to store a hash of the mcf admin password instead of a 
> clear password in the configuration file of MCF?
>
> Regards,
>
> Aur�lien
>

RE: Store hash of MCF admin password

[Konrad Holl <KH...@searchtechnologies.com>]

Hi Aurélien,

try the obfuscate.[bat|sh] file in the obfuscation-utility directory.

In property.xml you can use this obfuscated password instead: org.apache.manifoldcf.login.password.obfuscated . See also http://manifoldcf.apache.org/release/release-2.4/en_US/how-to-build-and-deploy.html

Hope that helps,

Konrad.

From: Aurélien MAZOYER [mailto:aurelien.mazoyer@francelabs.com]
Sent: Montag, 18. Juli 2016 13:31
To: user@manifoldcf.apache.org
Subject: Store hash of MCF admin password

Hi all,

Is there a way to store a hash of the mcf admin password instead of a clear password in the configuration file of MCF?

Regards,

Aurélien