You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Jeff Domeyer (JIRA)" <ji...@apache.org> on 2011/05/28 16:16:47 UTC
[jira] [Created] (DIRKRB-82) Kerberos Requires Plain Text Password
Kerberos Requires Plain Text Password
-------------------------------------
Key: DIRKRB-82
URL: https://issues.apache.org/jira/browse/DIRKRB-82
Project: Directory Kerberos
Issue Type: New Feature
Affects Versions: 2.5.0
Environment: All Environments
Reporter: Jeff Domeyer
Assignee: Emmanuel Lecharny
Priority: Minor
Attachments: ConfigurableKeyDerivationInterceptor.java
I would imagine a lot of people dislike storing password in LDAP in plain text, and unfortunately the client application is producing the hashed/encrypted password to be stored in LDAP, so when the Kerberos interceptor comes along, it can only use plain text passwords to calculate the Kerberos keys.
I created a subclass of KeyDerivationInterceptor, that when configured, will replace the plain text password with a hash of your choice.
(Looks like I can't attach here, will try attaching after creation of issue).
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (DIRKRB-82) Kerberos Requires Plain Text Password
Posted by "Jeff Domeyer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRKRB-82?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Domeyer updated DIRKRB-82:
-------------------------------
Attachment: ConfigurableKeyDerivationInterceptor.java
> Kerberos Requires Plain Text Password
> -------------------------------------
>
> Key: DIRKRB-82
> URL: https://issues.apache.org/jira/browse/DIRKRB-82
> Project: Directory Kerberos
> Issue Type: New Feature
> Affects Versions: 2.5.0
> Environment: All Environments
> Reporter: Jeff Domeyer
> Assignee: Emmanuel Lecharny
> Priority: Minor
> Attachments: ConfigurableKeyDerivationInterceptor.java
>
>
> I would imagine a lot of people dislike storing password in LDAP in plain text, and unfortunately the client application is producing the hashed/encrypted password to be stored in LDAP, so when the Kerberos interceptor comes along, it can only use plain text passwords to calculate the Kerberos keys.
> I created a subclass of KeyDerivationInterceptor, that when configured, will replace the plain text password with a hash of your choice.
> (Looks like I can't attach here, will try attaching after creation of issue).
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (DIRKRB-82) Kerberos Requires Plain Text
Password
Posted by "Jeff Domeyer (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DIRKRB-82?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13040605#comment-13040605 ]
Jeff Domeyer commented on DIRKRB-82:
------------------------------------
I also dislike logging passwords, so I removed that.
an example interceptors configuration:
<interceptors>
...
<!--<passwordPolicyInterceptor/>-->
<!--<keyDerivationInterceptor/>-->
<s:bean class="org.apache.directory.server.core.kerberos.ConfigurableKeyDerivationInterceptor">
<s:property name="encryptUserPassword" value="SSHA" />
</s:bean>
...
> Kerberos Requires Plain Text Password
> -------------------------------------
>
> Key: DIRKRB-82
> URL: https://issues.apache.org/jira/browse/DIRKRB-82
> Project: Directory Kerberos
> Issue Type: New Feature
> Affects Versions: 2.5.0
> Environment: All Environments
> Reporter: Jeff Domeyer
> Assignee: Emmanuel Lecharny
> Priority: Minor
> Attachments: ConfigurableKeyDerivationInterceptor.java
>
>
> I would imagine a lot of people dislike storing password in LDAP in plain text, and unfortunately the client application is producing the hashed/encrypted password to be stored in LDAP, so when the Kerberos interceptor comes along, it can only use plain text passwords to calculate the Kerberos keys.
> I created a subclass of KeyDerivationInterceptor, that when configured, will replace the plain text password with a hash of your choice.
> (Looks like I can't attach here, will try attaching after creation of issue).
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira