Description of problem: Currently the included hashing for the user passwords in the user propertites files is via MD-5. This is a insufficent crypto algorithm and it would be desireable to have a FIPS-140 compliant algorithm in it's place. Version-Release number of selected component (if applicable): All How reproducible: Fully Steps to Reproduce: 1. N/A
There is a lot more to this than just changing the contents of the properties file. Upstream within WildFly work is underway to enable stronger hashes for Digest authentication - this will allow us to use stronger hashed in these properties files.
Darran, In the push to get the U.S gov to embrace open source technologies more, we have to obide to STIG (define stig here) requirements that mandate that passwords follow FIPS 140-2 alogorithms. We know that the Vault is getting a FIPS 140-2 compliant algorithm in 6.1.1. We wanted t raise an issue about the hashed passwords in the properties files as well. While our clients might get by with getting waivers for a short period of time, this would put EAP at a risk of staying in production mode once the waivers expire. Of course there are technical challenges to accomplish this, however the solution implemented would allow to ensure EAP's presence in the DoD space. Thanks!
The other options are that those users can also either provide their own plug-in for the realm that meets their needs to delegate to JAAS and a login module that meets their needs. The current properties files should not be seen as a barrier, they are just a default initial configuration.
Your comment is correct. However the clients that we have will either use the properties files or move to LDAP. No databases are used to host passwords and usernames. Their end clients are military sites with different budgets/restrictions... Therefore not all of them are able to use LDAP. I understand your frustration, but this is a complaint that we have received from DoD clients for a while. (EAP 5 included)