[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Confused on best secuirty method...

On Wed, Jul 25, 2001 at 09:36:41AM -0400, Kevin J. Menard, Jr. wrote:

> SSHA is a seeded algorithm and produces a unique result every time.
> However, SSL/TLS is still in order, because it is possible, albeit very
> hard, to crack that password hash, if it's sniffed being sent in the clear.


> Actually, I think you can even send that hash that you sniff right back at
> openldap and it would authenticate.

I hope, and believe, that is not correct. I tried binding with the hash
itself, and with "{SSHA}" + hash, and neither bind was successful (OpenLDAP
2.0.11). Any system that allowed a client to present th hash itself in lieu
of the appropriate cleartext password would be seriously broken.