RFE Review : JDK-5016517 - Replace plaintext passwords by hashed passwords for out-of-the-box JMX Agent
Harsha Wardhana B
harsha.wardhana.b at oracle.com
Mon Apr 24 16:03:25 UTC 2017
Hi Gruss,
Crypt format has additional params (|param|name and its|value|: hash
complexity parameters, like rounds/iterations count ) which are not
applicable to current implementation. Also, hash algorithms shipped
with JDK are applicable (MD5, SHA1, SHA256) and any other algorithms
specified by crypt format will be ignored.
Crypt format can be used, but it is over-engineered for current
requirement/implementation. I am not opposed to using it and would
welcome input from other reviewers.
-Harsha
On Sunday 23 April 2017 08:10 PM, Bernd Eckenfels wrote:
> Hm, why introduce a new password hash format. Just use modular crypt()
> format (and iterations). This allows to use common tools (like
> htpasswd) to generate the hashes. It would use $5$ prefix for SHA256
> but actually I would use $6$ for iterated SHA512 as it is the default
> on most recent Linux distributions.
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
> ------------------------------------------------------------------------
> *From:* serviceability-dev
> <serviceability-dev-bounces at openjdk.java.net> on behalf of Harsha
> Wardhana B <harsha.wardhana.b at oracle.com>
> *Sent:* Sunday, April 23, 2017 12:20:57 PM
> *To:* serviceability-dev at openjdk.java.net
> *Subject:* RFE Review : JDK-5016517 - Replace plaintext passwords by
> hashed passwords for out-of-the-box JMX Agent
>
> Hi All,
>
> Please review this enhancement to replace plain-text password for JMX
> agent with SHA-256 hash.
>
> Issue: https://bugs.openjdk.java.net/browse/JDK-5016517
> <https://bugs.openjdk.java.net/browse/JDK-5016517>
>
> webrev: http://cr.openjdk.java.net/~hb/5016517/webrev.00/
>
> Overview of implementation:
>
> Currently, the JMX agent password file used to authenticate user,
> stores user name and password as clear text. Though system level
> restrictions are recommended for jmx password file, passwords are
> vulnerable since they are stored in clear. The current RFE proposes to
> store passwords as SHA256 hash instead of clear text.
>
> In current implementation, if password file is writable, and if
> passwords are in clear, they will be replaced by SHA256 hash upon
> agent boot-up or when login attempt is made.
>
> The file,
> src/jdk.management.agent/share/conf/jmxremote.password.template
> contains more details about the implementation.
>
> - Harsha
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/serviceability-dev/attachments/20170424/e547fbf4/attachment-0001.html>
More information about the serviceability-dev
mailing list