Password Hashing

Barry O'Donovan edited this page May 23, 2017 · 7 revisions

DEPRECATED IN V4: please use the new framework for this - see here

Password hashing is a configuration option. In application.ini there are two options currently available:

resources.auth.oss.pwhash  = "bcrypt"
resources.auth.oss.hash_cost  = 9

or

resources.auth.oss.pwhash  = "plaintext"

When plaintext is selected, there is a message displayed to the user on the password reset page and on the profile page to alert them to this.

Note that using plaintext passwords is inherently insecure and INEX strongly advises IXP Manager operators not to use this. Plaintext passwords are deprecated and support for this feature will be removed from future releases of IXP Manager.

Why is the option to use plaintext available?

IXP Manager can interface with several third party packages with authentication requirements, including:

  • mailing list subscriptions (password to access archives and settings)
  • TACACS+ / RADIUS authentication for route collectors / console servers
  • staff services such as email, HTTP auth
  • helpdesk software
  • etc.

There is no single hashing mechanism which is supported by all these systems. If password hashing is enabled, then IXP Manager cannot fully integrate with these packages.

History

Some discussion of this can be found in tickets #35, #56 and #76.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.