lqb
/
elasticsearch
spegling av https://gitee.com/mirrors/elasticsearch.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127
							[discrete]
[[hashing-settings]]
==== User cache and password hash algorithms

Certain realms store user credentials in memory. To limit exposure
to credential theft and mitigate credential compromise, the cache only stores
a hashed version of the user credentials in memory. By default, the user cache
is hashed with a salted `sha-256` hash algorithm. You can use a different
hashing algorithm by setting the <<static-cluster-setting,static>>
`cache.hash_algo` realm settings to any of the following values:

[[cache-hash-algo]]
.Cache hash algorithms
|=======================
| Algorithm               | | | Description
| `ssha256`               | | | Uses a salted `sha-256` algorithm (default).
| `md5`                   | | | Uses `MD5` algorithm.
| `sha1`                  | | | Uses `SHA1` algorithm.
| `bcrypt`                | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds.
| `bcrypt4`               | | | Uses `bcrypt` algorithm with salt generated in 16 rounds.
| `bcrypt5`               | | | Uses `bcrypt` algorithm with salt generated in 32 rounds.
| `bcrypt6`               | | | Uses `bcrypt` algorithm with salt generated in 64 rounds.
| `bcrypt7`               | | | Uses `bcrypt` algorithm with salt generated in 128 rounds.
| `bcrypt8`               | | | Uses `bcrypt` algorithm with salt generated in 256 rounds.
| `bcrypt9`               | | | Uses `bcrypt` algorithm with salt generated in 512 rounds.
| `pbkdf2`                | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 10000 iterations.
| `pbkdf2_1000`           | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 1000 iterations.
| `pbkdf2_10000`          | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 10000 iterations.
| `pbkdf2_50000`          | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 50000 iterations.
| `pbkdf2_100000`         | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 100000 iterations.
| `pbkdf2_500000`         | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                              pseudorandom function using 500000 iterations.
| `pbkdf2_1000000`        | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 1000000 iterations.
| `pbkdf2_stretch`        | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 10000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_1000`   | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 1000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_10000`  | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 10000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_50000`  | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 50000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_100000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 100000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_500000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 500000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_1000000`| | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 1000000 iterations, after hashing the
                             initial input with SHA512 first.
| `noop`,`clear_text`     | | | Doesn't hash the credentials and keeps it in clear text in
                            memory. CAUTION: keeping clear text is considered insecure
                            and can be compromised at the OS level (for example through
                            memory dumps and using `ptrace`).
|=======================

Likewise, realms that store passwords hash them using cryptographically strong
and password-specific salt values. You can configure the algorithm for password
hashing by setting the <<static-cluster-setting,static>>
`xpack.security.authc.password_hashing.algorithm` setting to one of the
following:

[[password-hashing-algorithms]]
.Password hashing algorithms
|=======================
| Algorithm               | | | Description

| `bcrypt`                | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds. (default)
| `bcrypt4`               | | | Uses `bcrypt` algorithm with salt generated in 16 rounds.
| `bcrypt5`               | | | Uses `bcrypt` algorithm with salt generated in 32 rounds.
| `bcrypt6`               | | | Uses `bcrypt` algorithm with salt generated in 64 rounds.
| `bcrypt7`               | | | Uses `bcrypt` algorithm with salt generated in 128 rounds.
| `bcrypt8`               | | | Uses `bcrypt` algorithm with salt generated in 256 rounds.
| `bcrypt9`               | | | Uses `bcrypt` algorithm with salt generated in 512 rounds.
| `bcrypt10`              | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds.
| `bcrypt11`              | | | Uses `bcrypt` algorithm with salt generated in 2048 rounds.
| `bcrypt12`              | | | Uses `bcrypt` algorithm with salt generated in 4096 rounds.
| `bcrypt13`              | | | Uses `bcrypt` algorithm with salt generated in 8192 rounds.
| `bcrypt14`              | | | Uses `bcrypt` algorithm with salt generated in 16384 rounds.
| `pbkdf2`                | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 10000 iterations.
| `pbkdf2_1000`           | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 1000 iterations.
| `pbkdf2_10000`          | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 10000 iterations.
| `pbkdf2_50000`          | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 50000 iterations.
| `pbkdf2_100000`         | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 100000 iterations.
| `pbkdf2_500000`         | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                              pseudorandom function using 500000 iterations.
| `pbkdf2_1000000`        | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 1000000 iterations.
| `pbkdf2_stretch`        | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 10000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_1000`   | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 1000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_10000`  | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 10000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_50000`  | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 50000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_100000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 100000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_500000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 500000 iterations, after hashing the
                             initial input with SHA512 first.
| `pbkdf2_stretch_1000000`| | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a
                             pseudorandom function using 1000000 iterations, after hashing the
                             initial input with SHA512 first.
|=======================