Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Server plain text password security #1408

h00gs opened this Issue Mar 25, 2013 · 3 comments


None yet
4 participants

h00gs commented Mar 25, 2013

I'm a little uneasy with plain text passwords in orientdb-server-config.xml and propose some minor changes in the current dev branch. I'm also a little uneasy about use of unencrypted binary and text sockets for the server, but I can see how you expect a user to manage their own SSL layer, or use OpenVPN on your commerical service, which I don't know much about.

You already have the encryption machinery in the code so what I've added is basically:

  1. a passphrase hasher invoked by starting ./server.sh with a "-p" argument (only for the linux script). The server is started and asks twice for a passphrase, then displays your existing digest2String SHA-256 hash, before quitting. The user pastes the hash into the pass value in the xml config file.
  2. a request for the root passphrase on server startup and shutdown. At least then the jvm instance invocation is somewhat secure. This will present a problem when automated spawning of instances, which I'm not doing just at the moment.
  3. the same hash-based authentication when a client tries to log into the server over the http socket. The password is still transmitted plain, but at least it is stored in the xml as a hash.

Further details at https://groups.google.com/d/msg/orient-database/lYzosWxyYzo/SIk6QbegnaYJ


being able to provide an encrypted/digested/hashed value in the password field in the oriented-server-confix.xml would be great.

@lvca lvca added the enhancement label Oct 3, 2014

@lvca lvca added this to the 2.1 milestone Oct 3, 2014

@lvca lvca modified the milestones: 2.2, 2.1 Feb 1, 2015


tglman commented Aug 10, 2015

this is already partially fixed, keeping open to make stronger security.

relative commits:


lvca commented Aug 19, 2015

This is a duplicate o #2811 already fixed.

@lvca lvca closed this Aug 19, 2015

@lvca lvca assigned lvca and unassigned tglman Aug 19, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment