Re: Unix auth via LDAP & now need to add Samba!

[David Wright <ichbin@shadlen.org>]

Your step-by-step illustrates the flaw perfectly! The server stores HP.
But HP can be used for authentiation (by hashing with the challenge to
produce HC)! It's true that the cleartext of the password P is safe, so if
you find out HP you can't find the text P you need to enter in the
password dialog of a standard client. But you can just write your own
hacked client to use HP directly and authenticate to the server without
ever using P. The security of a server should never depend on the security
of the client.

> o When account password is set, concatenate with known salt (constant or
>   easily calculable from nonsensitive data) and hash the result.  Store
>   as "hashed password" (let's call this HPS).
> o When client requests connection, generate a challenge and send it.
> o Client concatenates password given by user with same known salt and
>   applies same hash, yielding HPC.
> o Client concatenates challenge with HPC and hashes the result, yielding
>   "hashed challenge" (HCC).  Client sends HCC to server.
> o Server concatenates challenge with HPS and hashes the result, yielding
>   HCS.
> o If HCC == HCS then the probability is very high that the user knows the
>   password.  Yet the password itself has never been stored.

Unix avoids this loophole by storing HP and not accepting HP as a form of
authentication.

I agree this has got off topic, but since you are clearly intelligent
enough to understand this, and it really should be in the archive for the
record.