[jira] [Commented] (GUACAMOLE-1743) Add support for more secure hasing alogirthms in user-mapping.xml

Sat, 18 Mar 2023 07:24:07 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17702122#comment-17702122
 ] 

Nick Couchman commented on GUACAMOLE-1743:
------------------------------------------

[~matt3o12]: We'd love to have the contributions, so please feel free to give 
it a go. I think the user-mapping.xml file should be kept much in the format it 
is, now, so I'd just say whatever changes you make should attempt to maintain 
backward-compatibility while adding the features you're wanting to see. Other 
than that, give it a go, and I'm sure there will be some more input during the 
pull request review.

> Add support for more secure hasing alogirthms in user-mapping.xml
> -----------------------------------------------------------------
>
>                 Key: GUACAMOLE-1743
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1743
>             Project: Guacamole
>          Issue Type: Improvement
>            Reporter: Matteo Kloiber
>            Priority: Trivial
>
> Currently only SHA-256 and md5 is supported in user-mapping.xml. Both 
> algorithms are very vulnerable to hash table attacks as no salt or similiar 
> mechanics are used.
>  
> This is a problem for home lab settups as this method is not much better than 
> leaving leaking the plaintext password in a configuration file.
> I was thinking that using a hashing algorithms such as Argon2 or pbkdf2. 
> Although I believe argo2 is better, pbkdf2 might be preferable as it's 
> already in the standard library. Another problem is that both algorithms need 
> more parameter than just the hash, such as the salt and the number of 
> iterations. So an encoding for the password parameter might be easier than 
> creating more parameter just for this algorithm.
>  
> For example, with the password test, one might encode it like this:
>  <authorize username="matt3o12" 
> password="128:1000:HCgQ/crR+Ed3m5zAzcEk7w==:pzozvnzyXuz40RjCTbHv1A==" 
> encoding="PBKDF2WithHmacSHA256">
>  
> The encoding is dkLen:iterations:salt:password
>  
> What are your thoughts about this? How should the additional parameters be 
> encoded? Part of the password or maybe with additional XML parameters.
> I think having good password hashing is really important, especially for home 
> lab setups, where other login algorithms are overkill.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to