-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Guy,
On 11/22/17 1:50 PM, Guy wrote: > Maybe I should ask this in a different way: what are the steps to > use encrypted passwords in tomcat-users.xml under Tomcat 8.0.14? Note that the passwords aren't "encrypted" per se (that is, they are not using reversible encryption), but they have been modified such that they cannot be recovered. This is known as a "secure hash" -- even when it's more complicated than that ... such as using PBKDF2, bcrypt, etc. They are essentially the same basic idea, but the PBKDF2s of the world add a bunch of other features to strengthen the key and add complexity to the process to yield a higher-quality stored credential (the thing that you put into the tomcat-users.xml file). > I know what they are in Tomcat 8.0.37. They're both versions of > Tomcat 8.0.x, so why does something that works in one not work in > the other? Does the server.xml configuration need to be different? That depends upon what you want to do. > Here are some specifics on how I'm running digest.sh. > > As you will see, they are different. The newer version has more > arguments, and produces a different output, in the format > salt$iterations$digest. Yes. This reflects the current default operation of digest.sh, but the credential handlers ought to be backward-compatible so if you use a digest with no salt and no iteration count, the newer version of Tomcat should be able to use it without a problem. A salted, iterated hash is more secure than one that isn't, which is why the default operation has been changed. > First, on Mac with apache-tomcat-8.0.37: > > % ./digest.sh secret > secret:304fb189dd47d028f892f95a0d9a2c8d707b24d72474b62e78d30401a7cc05b 6$1$a299b9b24fdaf7219500ad39f21cea319fdce2a99d175c263ab16bd89c428ffdbafe a125f9559a4be9081b5955c35574dae002fb2b32b1acccdef9c77a81fb2e The > version of Tomcat is significant, but the OS is not. This isn't a Mac-vs-Linux thing. > % ./digest.sh Usage: RealmBase [-a <algorithm>] [-e <encoding>] [-i > <iterations>] [-s <salt-length>] [-k <key-length>] [-h > <handler-class-name>] <credentials> > > I believe this is defaulting to SHA-512 as per the docs and the > fact that it worked when I configured the Realm to use SHA-512 with > the CredentialHandler. Right. > Next, on Linux with apache-tomcat-8.0.14-1: > > # ./digest.sh secret Usage: RealmBase -a <algorithm> [-e > <encoding>] <credentials> # ./digest.sh -a SHA-512 secret > secret:bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d6 82ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2 > > > > So, something in the underlying RealmBase class is different, and > I can't get this output (or anything) to work on this server. > There's also a warning in the log: > > org.apache.tomcat.util.digester.Digester.endElement No rules > found matching > 'Server/Service/Engine/Realm/Realm/CredentialHandler'. > > which leads me to believe the server.xml configuration needs to be > different for this version too. However, none of this is indicated > in the documentation. I'm at a complete loss. Pluggable CredentialHandlers (and the significant upgrades to the authentication system including support for salts and iterations for "basic" crypto hashes) weren't added until Tomcat 8.0.15 [1], so you won't be able to use those. If you need to be able to use the same configuration for both Tomcat 8.0.14 and Tomcat 8.0.37, then you'll need to use the non-salted non-iterated hashes supported by the older version. If you want to be able to generate those hashes with Tomcat 8.0.37 and use them with Tomcat 8.0.14, then you'll need to use some more command-like arguments to generate a backward-compatible hash: $ ./digest.sh -s 0 -i 1 secret secret:bd2b1aaf7ef4f09be9f52ce2d8d599674d81aa9d6a4421696dc4d93dd0619d682 ce56b4d64a9ef097761ced99e0f67265b5f76085e5b0ee7ca4696b2ad6fe2b2 If you set the salt-length to zero (bytes) and the iteration count to 1, you'll get a hash that matches what Tomcat 8.0.14 would have produced . Hope that helps, - -chris [1] http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.15_(ma rkt) -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloW/4YACgkQHPApP6U8 pFhFtA/7BIJRqXRoc63Wn172BbcNvdp9ox2sJvB/PvSGObYKrpSjhg3gAYaVYUWc IBDUH0oBG8d7RN1evSKDr1sMtqc5o0k1JJAxkNuUh1Dn1C2oCkuKw6e9XBZxu71S Wkpskh3gHOrgEY6LLE2ui6ISDpAMU07+fl/Mu6bIUz7cI806MlAKmgLjCZRPTP5X ol46NFDPz1B9CuC4Mfw6lmOlGASvKrNIfrBKA7fRh78tm4ZG7pLC4m0Ejl1QU/0S 0qHTmoTb78056QZKuVvKUPTzZSXa0WxxUZcjH7yX0XPGmgUwPzQbgvkc9tPgt/vo bvUAudNlTdEKpHCFr5wugvdLH4YdcNqi/yIzdHEOdgh0+JSO0O+8PRBmoOpejmxo w8UnTOXe8dcKbUnynKJrFKDBk36hqEZkSde9Cnki4MLmDTjRAZ4t+0Dbo6SaZAQp OFir+4uM0JGfEG5b/AwK4yI4hIZ12JO9BDob7BLaTkIWHKVSBNL3IVg7RUOH0mKZ C1W+HeS0aLbZF4S9WJ5IEbefWQ7ORZk5TtwUfM04+sPJs0PIRpo4yXkzAYC7AqOp N7f4h1xa18puo6dm3rFzznmplYqchvuQLuGzas+7hrgZZBOCSXHGe7+oceso0U7N dClxSowtGRzrWTd8g+djyfTOXyvxTibjdd+2NxIhQm5dYynoulA= =gxmP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
