RFE Review : JDK-5016517 - Replace plaintext passwords by hashed passwords for out-of-the-box JMX Agent
Harsha Wardhana B
harsha.wardhana.b at oracle.com
Sun Apr 23 10:20:57 UTC 2017
Hi All,
Please review this enhancement to replace plain-text password for JMX
agent with SHA-256 hash.
Issue: https://bugs.openjdk.java.net/browse/JDK-5016517
<https://bugs.openjdk.java.net/browse/JDK-5016517>
webrev: http://cr.openjdk.java.net/~hb/5016517/webrev.00/
Overview of implementation:
Currently, the JMX agent password file used to authenticate user, stores
user name and password as clear text. Though system level restrictions
are recommended for jmx password file, passwords are vulnerable since
they are stored in clear. The current RFE proposes to store passwords as
SHA256 hash instead of clear text.
In current implementation, if password file is writable, and if
passwords are in clear, they will be replaced by SHA256 hash upon agent
boot-up or when login attempt is made.
The file,
src/jdk.management.agent/share/conf/jmxremote.password.template contains
more details about the implementation.
- Harsha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/serviceability-dev/attachments/20170423/580ad717/attachment.html>
More information about the serviceability-dev
mailing list