[AAA-46] aaa passwords are stored in clear text Created: 01/Jul/15 Updated: 21/Mar/19 Resolved: 25/Aug/15 |
|
| Status: | Resolved |
| Project: | aaa |
| Component/s: | General |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | ||
| Reporter: | Ryan Goulding | Assignee: | Sharon Aicler |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| External issue ID: | 3924 |
| Description |
|
aaa users' passwords are stored and compared in clear text. This is a security vulnerability; passwords should be encrypted using a one way encryption mechanism, and digests should be compared instead of the clear text password. |
| Comments |
| Comment by Ryan Goulding [ 15/Jul/15 ] |
|
Sharon, I have a working prototype for this; it was an AAA backlog item and a bug. I forgot to select the "take" button. I don't want to duplicate work; have you already created a patch for this? If so, I will abandon my work. Otherwise, I have a working prototype using MD5, and am changing it today to use stronger encryption. Thanks, |
| Comment by Sharon Aicler [ 15/Jul/15 ] |
|
Hi Ryan, |
| Comment by Ryan Goulding [ 15/Jul/15 ] |
|
Thanks for the prompt reply; please add me as a reviewer. Should we be using something a bit more heavyweight such as PBKDF2WithMacSHA1? |
| Comment by Ryan Goulding [ 23/Aug/15 ] |
|
https://git.opendaylight.org/gerrit/#/c/24085/ Thanks, Sharon. Closing this out now. |