[JDEV] digest and ldap and authentication
Jerrad Pierce
belg4mit at CALLOWAY.MIT.EDU
Sun Jul 30 11:40:49 CDT 2000
In reply to your message from the not too distant future: next Sunday AD
cc: mass at ufl.edu
Reply-to: belg4mit at mit.edu
Return-receipt-to: belg4mit at mit.edu
Organization: a) Discordia b) none c) what's that?
Content-Typo: gibberish, charset=ascii-art
Date: Sun, 30 Jul 2000 12:40:47 EDT
From: Jerrad Pierce <belg4mit>
>The problem with this method is that if you capture the hash sent from the
>client, you are prone to replay attacks, and if you hack the server and get
>the hash, you can log in as any client you would like... in other words,
>you've just created plaintext authentication with much more random-looking
>passwords.
Which is why I suggested OTP as per RFC 1938
Then the LDAP/Jabber interface layer need only get the passord form the
database (stored in a "plaintext" field), hash the client response once.
If they match store the client response in the field and allow access.
--
* __ * .
\ | / . . . . . ((_
_____ . . .
-- / \ -- . . . + . . _/\
oooooooooo. | * . . . * / ;M\_ .
.oooooooooooo.oo. . . . . /\ . / :IMM\
..oooooooooooo..oo. Jerrad Pierce /\ / \ / ;IIWMM
..oooooooooo....... 209 North Street + / \ / \ . / ;IIIIWM
...ooooooooo....... Randolph, MA 02368 / \ \ ___/ :;IIIIIWM
....ooo....o....... / \ \ / :: ;;IIIMI
.....ooo......... http://www.pthbb.org / \ \ : :::;IIIM
..ooooooo.... __________________________ || || ::.....::::::
MOTD on Sweetmorn, the 65th of Confusion, in the YOLD 3166:
Your ignorance cramps my conversation.
More information about the JDev
mailing list