[Date Prev][Date Next]
Re: Confused about md5 passwords
On Wednesday, 12. December 2001 17:15, Harry Hoffman wrote:
> Hi All,
> I'm a little confused and hopefully someone can help. I've added users
> into my ldap db with md5 passwords and authentication is working just fine.
> However when I use ngrep to watch the traffic between the application
> requesting autentication and the ldap db I see the password in clear text.
> Should this be happening? If so what purpose does moving to md5 present? Or
> is it just that should someone be able to grab the ldap passwords it will
> be more difficult to crack?
there is no algorithmic way to calculate a password from a hash value, so the
password needs to be transferred to the LDAP server. Simple authintication
(used by the PAM-modules) just does that. There are two ways to prevent
tranferring cleartext passwords.
a) use TLS. In this case the password is still transferred, but the whole
client-server communitcation is encrypted.
b) use SASL. SASL supports ways to authenticate without actually transferring
a password. Unfortunately pam_ldap does not support SASL and the credentials
are not stored in the directory. (A combination of nss_ldap and Kerberos may
Stephan Siano Mail: Stephan.Siano@suse.de
SuSE Linux Solutions AG Phone: 06196 50951 31
Mergenthalerallee 45-47 Fax: 06196 409607