You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Stefan Zoerner <st...@labeo.de> on 2010/02/07 17:23:24 UTC
Password hashed with SSHA-256 within ApacheDS (was: Re: Implementing
a simple interceptor: Adding it to the chain)
Hi Emmanuel!
Emmanuel Lecharny wrote:
> On 2/7/10 11:00 AM, Stefan Zoerner wrote:
>> Good morning Emmanuel!
>>
>> Emmanuel Lecharny wrote:
>>> I will have a look at it tomorrow.
>>
>> That would be great! Thanks!
> Done !
Thanks a lot, I have taken account all your great advice and modified
the page a little bit:
http://cwiki.apache.org/confluence/display/DIRxSBOX/Implementing+a+simple+interceptor
Think, I can move it to the official documentation, if no one votes
against that.
But there is the "One last thing". You wrote:
> One last thing : you should suggest to use SSHA-256, instead of MD5.
MD5 is considered as weak : http://www.schneier.com/essay-074.html (so
is SSHA1, btw :-)
This is a good hint, and it would be quite easy to configure the
PasswordHashInterceptor like that. I tried it out, and the password has
been stored encrypted with SSHA-256. Unfortunately, ApacheDS 1.5.5 does
not authenticate users with passwords stored like that. SSHA-256 is not
one of the supported hash algorithms, see class
org.apache.directory.server.core.authn.SimpleAuthenticator and enum
org.apache.directory.shared.ldap.constants.LdapSecurityConstants.
The same hold true for Apache Directory Studio, btw. It does not support
this hash function.
Should I raise a JIRA which addresses that? I think I would even be able
to add that on my own to the server, if wished (at least I was able to
find the place in the server code ;-).
Greetings from Hamburg,
StefanZ
Re: Password hashed with SSHA-256 within ApacheDS (was: Re:
Implementing a simple interceptor: Adding it to the chain)
Posted by Emmanuel Lecharny <el...@apache.org>.
Yeah, rise an JIRA. Implementing SHA§256 is probably a matter of minutes.
On Sun, Feb 7, 2010 at 5:23 PM, Stefan Zoerner <st...@labeo.de> wrote:
> Hi Emmanuel!
>
> Emmanuel Lecharny wrote:
>
>> On 2/7/10 11:00 AM, Stefan Zoerner wrote:
>>
>>> Good morning Emmanuel!
>>>
>>> Emmanuel Lecharny wrote:
>>>
>>>> I will have a look at it tomorrow.
>>>>
>>>
>>> That would be great! Thanks!
>>>
>> Done !
>>
>
> Thanks a lot, I have taken account all your great advice and modified the
> page a little bit:
>
>
> http://cwiki.apache.org/confluence/display/DIRxSBOX/Implementing+a+simple+interceptor
>
> Think, I can move it to the official documentation, if no one votes against
> that.
>
> But there is the "One last thing". You wrote:
>
> > One last thing : you should suggest to use SSHA-256, instead of MD5. MD5
> is considered as weak : http://www.schneier.com/essay-074.html (so is
> SSHA1, btw :-)
>
> This is a good hint, and it would be quite easy to configure the
> PasswordHashInterceptor like that. I tried it out, and the password has been
> stored encrypted with SSHA-256. Unfortunately, ApacheDS 1.5.5 does not
> authenticate users with passwords stored like that. SSHA-256 is not one of
> the supported hash algorithms, see class
> org.apache.directory.server.core.authn.SimpleAuthenticator and enum
> org.apache.directory.shared.ldap.constants.LdapSecurityConstants.
>
> The same hold true for Apache Directory Studio, btw. It does not support
> this hash function.
>
> Should I raise a JIRA which addresses that? I think I would even be able to
> add that on my own to the server, if wished (at least I was able to find the
> place in the server code ;-).
>
> Greetings from Hamburg,
> StefanZ
>
>
>
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com