[JDEV] digest and ldap and authentication

[Konrad Podloucky]

On 30-Jul-2000 Jerrad Pierce enlightened me with:
> 
> None of this really has to be a problem...
> 
> Why are you under the impression you must pass the data to
> LDAP in plaintext?
> 
> If the client provides the data hashed, then store that hash
> in LDAP's
> password field... To authenticate, take the hash the client
> supplies,
> and use the standard mechanism for verifying a password w/
> LDAP.
> 
However the client doesn't provide the same hash everytime it
authenticates (That's the whole point, otherwise this
authentication scheme would be rather useless).
You definitely NEED the plaintext password on the server
somewhere otherwise Jabber's authentication method doesn't work.

> So LDAP doesn't have a direct copy f the password, big deal.
> If at least
> one of the hashing algorythms is used is sufficiently god, all
> is well.
> And it could be argued that this is more secure. Since the
> server has no real
> knowledge of the password.
> 
See above. Either the client has to send a plaintext password,
or the server must have the plaintext password available and the
client sends a hash of the password and some other unique string.


> This is kinda the whole point behind OTP (RFC 1938)
> 
> Additionally, you don't really need SSL to have encrypted
> connections either.
> A chaining block cipher would work just as well. For examples
> see the HCE::*
> modules for Perl.
> 
You're right there, but it isn't all about encryption but also
about authentication (not only client-, but also
server-authentication) and SSL really provides a nice framework
here.

Just my $0.02
        Konrad

________________________________________________________________
  .~.   Konrad Podloucky    <konrad at pelimbert.tssc.univie.ac.at> 
  /V\                  Running GNU/Linux 2.2.17pre3 on an Alpha
 // \\  GnuPG/PGP-key available by request  
/(   )\ "It's all fun and games until someone gets hurt...
 ^^-^^   then it's just fun."