2020-07-23 12:42:33 -04:00
|
|
|
[discrete]
|
2018-08-21 05:05:42 -04:00
|
|
|
[[hashing-settings]]
|
|
|
|
==== User cache and password hash algorithms
|
|
|
|
|
|
|
|
Certain realms store user credentials in memory. To limit exposure
|
|
|
|
to credential theft and mitigate credential compromise, the cache only stores
|
|
|
|
a hashed version of the user credentials in memory. By default, the user cache
|
|
|
|
is hashed with a salted `sha-256` hash algorithm. You can use a different
|
|
|
|
hashing algorithm by setting the `cache.hash_algo` realm settings to any of the
|
|
|
|
following values:
|
|
|
|
|
|
|
|
[[cache-hash-algo]]
|
|
|
|
.Cache hash algorithms
|
|
|
|
|=======================
|
|
|
|
| Algorithm | | | Description
|
|
|
|
| `ssha256` | | | Uses a salted `sha-256` algorithm (default).
|
|
|
|
| `md5` | | | Uses `MD5` algorithm.
|
|
|
|
| `sha1` | | | Uses `SHA1` algorithm.
|
|
|
|
| `bcrypt` | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds.
|
|
|
|
| `bcrypt4` | | | Uses `bcrypt` algorithm with salt generated in 16 rounds.
|
|
|
|
| `bcrypt5` | | | Uses `bcrypt` algorithm with salt generated in 32 rounds.
|
|
|
|
| `bcrypt6` | | | Uses `bcrypt` algorithm with salt generated in 64 rounds.
|
|
|
|
| `bcrypt7` | | | Uses `bcrypt` algorithm with salt generated in 128 rounds.
|
|
|
|
| `bcrypt8` | | | Uses `bcrypt` algorithm with salt generated in 256 rounds.
|
|
|
|
| `bcrypt9` | | | Uses `bcrypt` algorithm with salt generated in 512 rounds.
|
|
|
|
| `pbkdf2` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 10000 iterations.
|
|
|
|
| `pbkdf2_1000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 1000 iterations.
|
|
|
|
| `pbkdf2_10000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 10000 iterations.
|
|
|
|
| `pbkdf2_50000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 50000 iterations.
|
|
|
|
| `pbkdf2_100000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 100000 iterations.
|
|
|
|
| `pbkdf2_500000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 500000 iterations.
|
|
|
|
| `pbkdf2_1000000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 1000000 iterations.
|
|
|
|
| `noop`,`clear_text` | | | Doesn't hash the credentials and keeps it in clear text in
|
|
|
|
memory. CAUTION: keeping clear text is considered insecure
|
|
|
|
and can be compromised at the OS level (for example through
|
|
|
|
memory dumps and using `ptrace`).
|
|
|
|
|=======================
|
|
|
|
|
|
|
|
Likewise, realms that store passwords hash them using cryptographically strong
|
|
|
|
and password-specific salt values. You can configure the algorithm for password
|
|
|
|
hashing by setting the `xpack.security.authc.password_hashing.algorithm` setting
|
|
|
|
to one of the following:
|
|
|
|
|
|
|
|
[[password-hashing-algorithms]]
|
|
|
|
.Password hashing algorithms
|
|
|
|
|=======================
|
|
|
|
| Algorithm | | | Description
|
|
|
|
|
|
|
|
| `bcrypt` | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds. (default)
|
|
|
|
| `bcrypt4` | | | Uses `bcrypt` algorithm with salt generated in 16 rounds.
|
|
|
|
| `bcrypt5` | | | Uses `bcrypt` algorithm with salt generated in 32 rounds.
|
|
|
|
| `bcrypt6` | | | Uses `bcrypt` algorithm with salt generated in 64 rounds.
|
|
|
|
| `bcrypt7` | | | Uses `bcrypt` algorithm with salt generated in 128 rounds.
|
|
|
|
| `bcrypt8` | | | Uses `bcrypt` algorithm with salt generated in 256 rounds.
|
|
|
|
| `bcrypt9` | | | Uses `bcrypt` algorithm with salt generated in 512 rounds.
|
|
|
|
| `bcrypt10` | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds.
|
|
|
|
| `bcrypt11` | | | Uses `bcrypt` algorithm with salt generated in 2048 rounds.
|
|
|
|
| `bcrypt12` | | | Uses `bcrypt` algorithm with salt generated in 4096 rounds.
|
|
|
|
| `bcrypt13` | | | Uses `bcrypt` algorithm with salt generated in 8192 rounds.
|
|
|
|
| `bcrypt14` | | | Uses `bcrypt` algorithm with salt generated in 16384 rounds.
|
|
|
|
| `pbkdf2` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 10000 iterations.
|
|
|
|
| `pbkdf2_1000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 1000 iterations.
|
|
|
|
| `pbkdf2_10000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 10000 iterations.
|
|
|
|
| `pbkdf2_50000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 50000 iterations.
|
|
|
|
| `pbkdf2_100000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 100000 iterations.
|
|
|
|
| `pbkdf2_500000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 500000 iterations.
|
|
|
|
| `pbkdf2_1000000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
|
|
|
|
pseudorandom function using 1000000 iterations.
|
|
|
|
|=======================
|
|
|
|
|
|
|
|
|