[jira] Commented: (DERBY-4483) Provide a way to change the hash algorithm used by BUILTIN authentication

Sat, 27 Feb 2010 02:06:29 -0800 

    [ 
https://issues.apache.org/jira/browse/DERBY-4483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12839215#action_12839215
 ] 

Knut Anders Hatlen commented on DERBY-4483:
-------------------------------------------

Hi Bryan,

>> This means that a database may contain passwords that are hashed using 
>> different algorithms.
>
> Can the Derby administrator or DBA tell that they are in this state? Is there 
> a way to know
> which user/passwords are hashed with which algorithm, during a situation in 
> which my database has
> such a mixture? 

If the DBA has a list of all users in the system, he could query the 
derby.user.* database properties and look at their suffixes. For example:

ij> select name, substr(pw, length(pw) - 9, 10) from
> (select u, syscs_util.syscs_get_database_property(rtrim('derby.user.'||u))
> from (values 'knut', 'bryan', 'dag') v(u)) s(name, pw);
NAME |2         
----------------
knut |5de26b791b
bryan|f4a77c:MD5
dag  |a2:SHA-512

3 rows selected

Here, the user 'knut' has a password that's hashed with the old scheme (there's 
no algorithm name in the suffix), 'bryan' has a password hashed with MD5, and 
'dag' with SHA-512.

I don't think we currently have any way of listing all database properties, so 
the DBA must know all users up front in order to perform this query. It might 
be useful (in a separate JIRA) to add a new diagnostic table function to 
improve the monitoring capabilities. Then we could simply have done something 
like this:

select * from table ( syscs_diag.database_properties('derby.user.%') ) p;

> Provide a way to change the hash algorithm used by BUILTIN authentication
> -------------------------------------------------------------------------
>
>                 Key: DERBY-4483
>                 URL: https://issues.apache.org/jira/browse/DERBY-4483
>             Project: Derby
>          Issue Type: Improvement
>          Components: Services
>    Affects Versions: 10.5.3.0
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>            Priority: Minor
>         Attachments: experiment.diff
>
>
> The BUILTIN authentication scheme protects the passwords by hashing them with 
> the SHA-1 algorithm. It would be nice to have way to specify a different 
> algorithm so that users can take advantage of new, stronger algorithms 
> provided by their JCE provider if so desired.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to