Re: ldap authentication (?)

[Julio Sánchez Fernández <j_sanchez@stl.es>]

Jan Iven wrote:

> The LDAP server supports hashed password entries, with selectable Hashes. Simply use
> userPassword: {crypt}xxxyyyzzy

I know, I know, I was just pointing out at possible problems.  Besides, that
method brings the dilemma between client/server hashing with both sides
of the argument equally deficient: if the client is permitted to hash,
the hash becomes password-equivalent (i.e. a symetrical secret).  If the server
hashes, the cleartext password must travel the net.  So I think the whole
approach is hopeless from a security point of view and everyone seems to be
arriving at the same conclusion.

Mind, this "UNIX" method was a perfect (modulo the small key-space of DES)
implementation of reusable authentication user-keyable tokens for console
or directly connected terminals.  But the world has changed.  In case you
are wondering, "Windows-style" authentication over the network is another
can of worms altogether (in the symmetrical reusable-info category with
additional low-level design basic mistakes).

> Using stunnel <http://mike.daewoo.com.pl/computer/stunnel/>, you can
> rather easily encrypt the communication between client and server.

This approach permits the server-hashes approach without compromising the
secret while on the wire.  It remains a reusable authentication token, though.

Anyway, these things (like ssh-tunneling port-redirects) are just a temporary
measure.  We have a standard for this, it is called SASL, and we will
eventually support it.

Julio