manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Store hash of MCF admin password
Date Fri, 22 Jul 2016 14:00:16 GMT
Patches are welcome.  Please create a ticket and attach a patch that does
what you think the encryption ought to do.

Karl


On Fri, Jul 22, 2016 at 9:22 AM, Aurélien MAZOYER <
aurelien.mazoyer@francelabs.com> wrote:

> Hi,
>
> In order to try to improve security in MCF, I would like to be able to
> store the password (that is currently hardcoded) used for obfuscation in a
> specific configuration file. The aim of this approach is to be able to
> change it but also to be able to add specific linux access right on it. To
> do that, I think I need to rewrite the Obfuscate file in the source code.
> Do you think this approach is valid?
>
> Regards,
>
> Aurélien
>
> Le 18/07/2016 14:50, Aurélien MAZOYER a écrit :
>
> Hi Konrad,
>
> Thank you for your answer. It seems that the obfuscation tool uses a
> symmetric encoding with password and salt to obfuscate/deobfuscate
> passwords. I can see that there is a way to change the salt with a
> property, but it seems that the password is hardcoded in the source code.
> What is the best practice to use this obfuscation tool? Is it enough to
> change the salt in the property file?
>
> Regards,
>
> Aurélien
>
> Le 18/07/2016 14:13, Konrad Holl a écrit :
>
> Hi Aurélien,
>
>
>
> try the obfuscate.[bat|sh] file in the obfuscation-utility directory.
>
>
>
> In property.xml you can use this obfuscated password instead:
> org.apache.manifoldcf.login.password.obfuscated . See also
> http://manifoldcf.apache.org/release/release-2.4/en_US/how-to-build-and-deploy.html
>
>
>
> Hope that helps,
>
>
>
> Konrad.
>
>
>
> *From:* Aurélien MAZOYER [ <aurelien.mazoyer@francelabs.com>
> mailto:aurelien.mazoyer@francelabs.com <aurelien.mazoyer@francelabs.com>]
> *Sent:* Montag, 18. Juli 2016 13:31
> *To:* user@manifoldcf.apache.org
> *Subject:* Store hash of MCF admin password
>
>
>
> Hi all,
>
> Is there a way to store a hash of the mcf admin password instead of a
> clear password in the configuration file of MCF?
>
> Regards,
>
> Aurélien
>
>
>
>

Mime
View raw message