Re: SHA Authentication

[Dave <dave@tamos.net>]

Jon Parry-McCulloch wrote:

>         Um, this isn't making sense to me. The password is sent in plaintext
> frm where? Not the client, surely.

Where else?  This is just one more reason why SSL/TLS will be so useful. Until
then, you could shuttle your remote connections through SSH.

>                 The server will base64-unencode the hash from the db,
> retreive the salt from the hash, and use
>                 that salt to hash with the binding password.  Then it
> compares the hashed
>                 binding password with the hashed password from the database.
> If they're the
>                 same, you've authenticated yourself.
>
>         The DB has a plain copy of the password, yes? And it hashes this
> stored value with the received salt
>         and compares it with the received hash. This is what I said (or
> meant to say) in the first place.

If the password is hashed in any way, shape or form, then no, the server does
not store the password in plaintext.  The server *could* store the password in
plaintext if you configure it to, but your password will still be sent to the
server in plaintext in any event.

>         <groan> I really need SSHA, like, yesterday. I'd imagine that the
> files affected are few, yes?

yes.  Depending on what version of OpenLDAP you're using will depend on which
file you'll want to edit.  Older versions use
ldap/servers/slapd/back-ldbm/bind.c.  Newer, development releases use
libraries/liblutil/passwd.c.  (I'm in development land so my knowledge of
actual *released* versions is pretty slim. ;)

d