I manage the users via Web on an CGI (Shell Script) page.
Until now, it’‘s working fine. But what I want to do now is to store encrypted the new user’‘s password. So the admin can’'t read those passwords in the DB (MySQL).
Is there a way to generate it on Linux? PHP or Perl functions, I don’‘t know, I’'m just guessing.
Thanks in advance.
Regards,
Rodrigo.
Hi Rodrigo,
To give you the idea of how to encrypt password suitable for Wildfire, you might want to see how it’'s done in the StringUtils.java.
For your info, user password algorithm in Wildfire is a symmetric cypher using Blowfish. The key used with the algorithm is stored in Wildfire property “passwordKey”. That means, even if you encrypt the password, someone (obviously the admin) who knows the “passwordKey” can decrypt it pretty easily.
Further reading on password can be found in JM-291
Hope that helps.
Hi Rodrigo,
if you want Wildfire to use a md5 or sha1 hashed password you currently need to use a second database, see http://www.jivesoftware.org/builds/wildfire/docs/latest/documentation/db-integra tion-guide.html for details how to configure this. It you are not using the embedded database then you may just create another user in the database Wildfire uses right now to store the user information.
Matt did write some time ago: “In order to do digest auth or SASL-digest, the plain text password is required. If only a hash is stored, that basically means that users have to use a TLS connection in order for authentication to be secure.” - this explains why Wildfire is able to decrypt the password.
So I wonder if one would like to see an option to force Wildfire to store md5 or sha1 hashed passwords instead of the encrypted one.
LG
For your info, user password algorithm in Wildfire is a symmetric cypher using Blowfish. The key used with the algorithm is stored in Wildfire property “passwordKey”. That means, even if you encrypt the password, someone (obviously the admin) who knows the “passwordKey” can decrypt it pretty easily.
Okay… it’‘s no problem to me. I was just wondering if even the admin couldn’'t know the password.
But I need to know how to convert this password, for instance, “mypass” to the encrypted one so I can store it directly in the DB on the encryptedPassword field.
How can I do that on Linux? Do I have to use Java to do that?
Thanks for the help,
Rodrigo.
if you want Wildfire to use a md5 or sha1 hashed password you currently need to use a second database, see http://www.jivesoftware.org/builds/wildfire/docs/latest/documentation/db-integra tion-guide.html for details how to configure this. It you are not using the embedded database then you may just create another user in the database Wildfire uses right now to store the user information.
I just want to convert a plain password to an encrypted one… as you can see in my past reply.
Thanks,
Rodrigo.
Encrypted passwords are used by default. If you don’'t see encrypted passwords, there are two possibilities:
You’'re using quite an old version of Wildfire. I would suggest upgrading.
You already upgraded from an old version of Wildfire, but certain users haven’'t logged in since then. When they log in, their password will be automatically converted to an encrypted password.
Regards,
Matt
matt wrote:
Encrypted passwords are used by default. If you don’'t see encrypted passwords, there are two possibilities:
Yes, it’‘s true. But I don’'t create the users via Admin Console, I create them via Web (CGI) as I said before.
- You’'re using quite an old version of Wildfire. I would suggest upgrading.
Nope, I’'m using version 3.0.1
- You already upgraded from an old version of Wildfire, but certain users haven’'t logged in since then. When they log in, their password will be automatically converted to an encrypted password.
Yes, I recently upgraded from 2.x to 3.0.1 and all the users was with plain passwords. Now just the users that are created via Admin Console have the encrypted passwords. All the others have plain. Even if the user login after the upgrade (my own user, for instance), the password still in plain text.
Thanks for the help,
Rodrigo.
Yes, I recently upgraded from 2.x to 3.0.1 and all the users was with plain passwords. Now just the users that are created via Admin Console have the encrypted passwords. All the others have plain. Even if the user login after the upgrade (my own user, for instance), the password still in plain text.
Upgrade now from 3.0.1 to 3.1.0 and still the passwords are stored in plain text.
Matt, anyone…??
regards,
Rodrigo.
I may have been wrong about the auto-update feature. We’'ll look into it and post a follow-up.
Thanks,
Matt
matt wrote:
I may have been wrong about the auto-update feature. We’'ll look into it and post a follow-up.
Thanks,
Matt
Ok… it would be a great feature that.
Thanks,
Rodrigo.
I filed this as JM-869.
Regards,
Matt