What password encryption Hudson is using?

后端 未结 1 1029
没有蜡笔的小新
没有蜡笔的小新 2021-02-10 15:06

This is what I see in hudson/users/me/config.xml:

[...]

  mEDUyJ:0c9         


        
1条回答
  •  北恋
    北恋 (楼主)
    2021-02-10 15:51

    The source code responsible for this is found in the hudson.security.HudsonPrivateSecurityRealm class (more specifically, the PasswordEncoder inner class).

    Consider your example:

    mEDUyJ:0c9e6f2556b9b3a0b9e9046c21490422b4a54877f057b527b2c0bd4dc83342d5

    The prefix (mEDUyJ) is actually a six-letter salt. A salt can be any six-letter permutation of uppercase letters and lowercase letters.

    Hudson uses the Acegi Security library. More specifically, it uses that library's ShaPasswordEncoder class. It's basically doing this:

    String salt = generateSomeSixLetterSalt() // Fictional function
    String passwordHash = salt + ":" + new ShaPasswordEncoder(256).encodePassword(password, salt);
    

    Once you view the source code for ShaPasswordEncoder, you find this it's essentially doing this:

    // Fictional functions ahead...
    String salt = generateSomeSixLetterSalt()
    String passwordHash = salt + ":" + hex_encode(sha256_hash(utf8_encode(password + "{" + salt + "}")))
    

    0 讨论(0)
提交回复
热议问题