[
https://issues.apache.org/jira/browse/SSHD-709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15594922#comment-15594922
]
Goldstein Lyor commented on SSHD-709:
-------------------------------------
While the idea is valid, I am not sure it is feasible - after all, users are
likely to use {{String}}-s as they are the most useful (e.g., reading from
files, keyboard, etc.), so even if SSHD is eventually provided with {{char[]}}
the _String_ from which it originated is still there. Furthermore, the password
identity of the client session must be stored anyway, so dumping the memory
would show the password even if stored as {{char[]}}. I am not sure the
vulnerability can really be mitigated if using {{char[]}} instead of
_String_(s). I have added some methods to {{Buffer}} (see _putChars_,
_putAndWipeChars/Bytes_) in case we pursue this, and have modified
_UserInteraction_ to use a {{List<char[]>}} instread of a {{String[]}} but this
is as far as I can see this being useful.
> All passwords should be stored as char[] instead of String and wiped after use
> ------------------------------------------------------------------------------
>
> Key: SSHD-709
> URL: https://issues.apache.org/jira/browse/SSHD-709
> Project: MINA SSHD
> Issue Type: Improvement
> Reporter: Guillaume Nodet
> Assignee: Goldstein Lyor
> Priority: Minor
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
