You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Jeff Domeyer (JIRA)" <ji...@apache.org> on 2011/05/28 16:16:47 UTC

[jira] [Created] (DIRKRB-82) Kerberos Requires Plain Text Password

Kerberos Requires Plain Text Password
-------------------------------------

                 Key: DIRKRB-82
                 URL: https://issues.apache.org/jira/browse/DIRKRB-82
             Project: Directory Kerberos
          Issue Type: New Feature
    Affects Versions: 2.5.0
         Environment: All Environments
            Reporter: Jeff Domeyer
            Assignee: Emmanuel Lecharny
            Priority: Minor
         Attachments: ConfigurableKeyDerivationInterceptor.java

I would imagine a lot of people dislike storing password in LDAP in plain text, and unfortunately the client application is producing the hashed/encrypted password to be stored in LDAP, so when the Kerberos interceptor comes along, it can only use plain text passwords to calculate the Kerberos keys.

I created a subclass of KeyDerivationInterceptor, that when configured, will replace the plain text password with a hash of your choice.
(Looks like I can't attach here, will try attaching after creation of issue).

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (DIRKRB-82) Kerberos Requires Plain Text Password

Posted by "Jeff Domeyer (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/DIRKRB-82?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jeff Domeyer updated DIRKRB-82:
-------------------------------

    Attachment: ConfigurableKeyDerivationInterceptor.java

> Kerberos Requires Plain Text Password
> -------------------------------------
>
>                 Key: DIRKRB-82
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-82
>             Project: Directory Kerberos
>          Issue Type: New Feature
>    Affects Versions: 2.5.0
>         Environment: All Environments
>            Reporter: Jeff Domeyer
>            Assignee: Emmanuel Lecharny
>            Priority: Minor
>         Attachments: ConfigurableKeyDerivationInterceptor.java
>
>
> I would imagine a lot of people dislike storing password in LDAP in plain text, and unfortunately the client application is producing the hashed/encrypted password to be stored in LDAP, so when the Kerberos interceptor comes along, it can only use plain text passwords to calculate the Kerberos keys.
> I created a subclass of KeyDerivationInterceptor, that when configured, will replace the plain text password with a hash of your choice.
> (Looks like I can't attach here, will try attaching after creation of issue).

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (DIRKRB-82) Kerberos Requires Plain Text Password

Posted by "Jeff Domeyer (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/DIRKRB-82?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13040605#comment-13040605 ] 

Jeff Domeyer commented on DIRKRB-82:
------------------------------------

I also dislike logging passwords, so I removed that.

an example interceptors configuration:

<interceptors>
...
      <!--<passwordPolicyInterceptor/>-->
      <!--<keyDerivationInterceptor/>-->
      <s:bean class="org.apache.directory.server.core.kerberos.ConfigurableKeyDerivationInterceptor"> 
        <s:property name="encryptUserPassword" value="SSHA" /> 
      </s:bean>
...

> Kerberos Requires Plain Text Password
> -------------------------------------
>
>                 Key: DIRKRB-82
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-82
>             Project: Directory Kerberos
>          Issue Type: New Feature
>    Affects Versions: 2.5.0
>         Environment: All Environments
>            Reporter: Jeff Domeyer
>            Assignee: Emmanuel Lecharny
>            Priority: Minor
>         Attachments: ConfigurableKeyDerivationInterceptor.java
>
>
> I would imagine a lot of people dislike storing password in LDAP in plain text, and unfortunately the client application is producing the hashed/encrypted password to be stored in LDAP, so when the Kerberos interceptor comes along, it can only use plain text passwords to calculate the Kerberos keys.
> I created a subclass of KeyDerivationInterceptor, that when configured, will replace the plain text password with a hash of your choice.
> (Looks like I can't attach here, will try attaching after creation of issue).

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira