[jira] [Created] (GUACAMOLE-1743) Add support for more secure hasing alogirthms in user-mapping.xml

["Matteo Kloiber (Jira)" <ji...@apache.org>]

Matteo Kloiber created GUACAMOLE-1743:
-----------------------------------------

             Summary: Add support for more secure hasing alogirthms in user-mapping.xml
                 Key: GUACAMOLE-1743
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1743
             Project: Guacamole
          Issue Type: Bug
            Reporter: Matteo Kloiber


Currently only SHA-256 and md5 is supported in user-mapping.xml. Both algorithms are very vulnerable to hash table attacks as no salt or similiar mechanics are used.

 

This is a problem for home lab settups as this method is not much better than leaving leaking the plaintext password in a configuration file.

I was thinking that using a hashing algorithms such as Argon2 or pbkdf2. Although I believe argo2 is better, pbkdf2 might be preferable as it's already in the standard library. Another problem is that both algorithms need more parameter than just the hash, such as the salt and the number of iterations. So an encoding for the password parameter might be easier than creating more parameter just for this algorithm.

 

For example, with the password test, one might encode it like this:

 <authorize username="matt3o12" password="128:1000:HCgQ/crR+Ed3m5zAzcEk7w==:pzozvnzyXuz40RjCTbHv1A==:pzozvnzyXuz40RjCTbHv1A==" encoding="PBKDF2WithHmacSHA256">

 

The encoding is dkLen:iterations:salt:password

 

What are your thoughts about this? How should the additional parameters be encoded? Part of the password or maybe with additional XML parameters.

I think having good password hashing is really important, especially for home lab setups, where other login algorithms are overkill.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)