[
https://issues.apache.org/jira/browse/GUACAMOLE-1743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman updated GUACAMOLE-1743:
-------------------------------------
Issue Type: Improvement (was: Bug)
> Add support for more secure hasing alogirthms in user-mapping.xml
> -----------------------------------------------------------------
>
> Key: GUACAMOLE-1743
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1743
> Project: Guacamole
> Issue Type: Improvement
> Reporter: Matteo Kloiber
> Priority: Minor
>
> Currently only SHA-256 and md5 is supported in user-mapping.xml. Both
> algorithms are very vulnerable to hash table attacks as no salt or similiar
> mechanics are used.
>
> This is a problem for home lab settups as this method is not much better than
> leaving leaking the plaintext password in a configuration file.
> I was thinking that using a hashing algorithms such as Argon2 or pbkdf2.
> Although I believe argo2 is better, pbkdf2 might be preferable as it's
> already in the standard library. Another problem is that both algorithms need
> more parameter than just the hash, such as the salt and the number of
> iterations. So an encoding for the password parameter might be easier than
> creating more parameter just for this algorithm.
>
> For example, with the password test, one might encode it like this:
> <authorize username="matt3o12"
> password="128:1000:HCgQ/crR+Ed3m5zAzcEk7w==:pzozvnzyXuz40RjCTbHv1A=="
> encoding="PBKDF2WithHmacSHA256">
>
> The encoding is dkLen:iterations:salt:password
>
> What are your thoughts about this? How should the additional parameters be
> encoded? Part of the password or maybe with additional XML parameters.
> I think having good password hashing is really important, especially for home
> lab setups, where other login algorithms are overkill.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
