[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Confused about md5 passwords

Stephan, Peter,
   Thanks, for the response. Does the same go for SHA, and do you know if
nss_ldap even supports SHA? I definetely don't want to switch to Kerberos.


Quoting Stephan Siano <stephan.siano@suse.de>:

 there is no algorithmic way to calculate a password from a hash value, so the
 password needs to be transferred to the LDAP server. Simple authintication 
 (used by the PAM-modules) just does that. There are two ways to prevent 
 tranferring cleartext passwords.
 a) use TLS. In this case the password is still transferred, but the whole 
 client-server communitcation is encrypted.
 b) use SASL. SASL supports ways to authenticate without actually transferring
 a password. Unfortunately pam_ldap does not support SASL and the credentials
 are not stored in the directory. (A combination of nss_ldap and Kerberos may
 help here).
 Stephan Siano 
 Stephan Siano                           Mail:  Stephan.Siano@suse.de
 SuSE Linux Solutions AG                 Phone: 06196 50951 31
 Mergenthalerallee 45-47			Fax:   06196 409607
 D-65760 Eschborn

This mail sent through IMP: http://horde.org/imp/