[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schema: encrypted 8-bit userPassword and SASLprep

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Schema: encrypted 8-bit userPassword and SASLprep
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Fri, 12 Sep 2003 15:10:00 +0200
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <3F61C2AD.8080504@stroeder.com>
References: <HBF.20030912vnly@bombur.uio.no> <3F61C2AD.8080504@stroeder.com>

Michael Ströder writes:
>Hallvard B Furuseth wrote:
>> [Schema] 2.41 (userPassword) says:
>> 
>>    The application SHOULD prepare textual strings used as passwords
>>    by transcoding them to Unicode, applying SASLprep [SASLprep], and
>>    encoding as UTF-8.
>> 
>> This is incompatible with passwords written in 8-bit character sets and
>> stored encrypted in files that cannot easily be decrypted, e.g. Unix
>> /etc/passwd files.  Since the server does not know the plaintext
>> passwords, it cannot prepare them as above.
> 
> IMHO the password should be encoded as UTF-8 before applying the hash.
> Maybe the wording is somewhat misleading though I'm not sure.

No.  LDAP can't mandate how Unix should encode its /etc/passwd files,
and therefore also how the login, su and passwd programs should work.

> Note that hashed passwords are non-standard anyway... ;-)

No, they are irrelevant to the standard:
- The client binds with a plaintext password (hopefully inside TLS).
  So the hashed password doesn't affect the protocol.
- The server matches the password from the client against the hashed
  password, with the same algorithm as the login program does.

-- 
Hallvard

References:
- Schema: encrypted 8-bit userPassword and SASLprep
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Schema: encrypted 8-bit userPassword and SASLprep
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Schema: encrypted 8-bit userPassword and SASLprep
Next by Date: Re: Schema: encrypted 8-bit userPassword and SASLprep
Index(es):
- Chronological
- Thread