You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2016/01/12 15:46:39 UTC
[jira] [Commented] (QPID-6993) [Java Broker] Improve security of
SCAM-* authentication managers by not storing the salted passwords
[ https://issues.apache.org/jira/browse/QPID-6993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15093982#comment-15093982 ]
ASF subversion and git services commented on QPID-6993:
-------------------------------------------------------
Commit 1724251 from [~godfrer] in branch 'java/trunk'
[ https://svn.apache.org/r1724251 ]
QPID-6993 : Improve ScramSHA* authentication managers so they no longer store the hashed salted password
> [Java Broker] Improve security of SCAM-* authentication managers by not storing the salted passwords
> ----------------------------------------------------------------------------------------------------
>
> Key: QPID-6993
> URL: https://issues.apache.org/jira/browse/QPID-6993
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Rob Godfrey
> Assignee: Rob Godfrey
> Fix For: qpid-java-6.1
>
>
> Currently the SCRAM-* authentication managers store the salted hashed password. If this information is somehow leaked then the possesor of the information could use this value to log in to the broker without knowing the plain test password.
> We can change the storage mechanism to store instead the "storedKey" and "serverKey" which will not allow the possesor of the leaked configuration to authenticate - they will need to know either the plain text password or the hashed slated password - which cannot be recovered from the password file.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org