[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Confused on best secuirty method...

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: Confused on best secuirty method...
From: Peter W <peterw@usa.net>
Date: Wed, 25 Jul 2001 10:33:39 -0400
Content-disposition: inline
In-reply-to: <1514019039.20010725093641@wpi.edu>; from kmenard@wpi.edu on Wed, Jul 25, 2001 at 09:36:41AM -0400
References: <01072509244800.14163@matheny.bev.net> <1514019039.20010725093641@wpi.edu>
User-agent: Mutt/1.2.5i

On Wed, Jul 25, 2001 at 09:36:41AM -0400, Kevin J. Menard, Jr. wrote:

> SSHA is a seeded algorithm and produces a unique result every time.
> However, SSL/TLS is still in order, because it is possible, albeit very
> hard, to crack that password hash, if it's sniffed being sent in the clear.

Indeed.

> Actually, I think you can even send that hash that you sniff right back at
> openldap and it would authenticate.

I hope, and believe, that is not correct. I tried binding with the hash
itself, and with "{SSHA}" + hash, and neither bind was successful (OpenLDAP
2.0.11). Any system that allowed a client to present th hash itself in lieu
of the appropriate cleartext password would be seriously broken.

-Peter

References:
- Confused on best secuirty method...
  - From: bithead@bev.net (Matt Witherspoon)
- Re: Confused on best secuirty method...
  - From: "Kevin J. Menard, Jr." <kmenard@wpi.edu>

Prev by Date: Re: Confused on best secuirty method...
Next by Date: OpenLDAP TLS question
Index(es):
- Chronological
- Thread