[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL and PAM based password changing

--On Freitag, 8. Februar 2002 22:34 -0500 Carl J Meyer <carljm@goshen.edu> wrote:

On Fri, 8 Feb 2002, Norbert Klasen wrote:
--On Donnerstag, 7. Februar 2002 19:44 +0530 Shanker Balan
<shanu@exocore.com> wrote:

> Correct. Hmm... so what purpose does the OpenLDAP "extended operations"
> serve?

The "Password Modify Extended Operation" (see RFC 3062) has been defined
to  create a standard way for updating a user's password. As currently
implemented in OpenLDAP, it will automatically hash the password before
storing it in the userPassword attribute type.

It seems to me that, given a choice, I would on principle rather have PAM hash the password BEFORE transmission to the LDAP server (which I can do with pam_password <algorithm>) rather than having the server do the hash after sending the password cleartext. I guess if I care about security I'm of course using SSL anyways, but still...

The password will always be transmitted as cleartext when ldap simple bind (and SASL PLAIN) is used. To avoid this, one can either use a security layer which provies privacy protection or use non-cleartext authentication mechanisms. If the data transmission is encrypted, what is the gain of additionally hashing the password when it is changed/set? And for password-based authentication mechanisms which do not transfer the password as cleartext, the cleartext password is generally required by the server to be able to verify the credentials presented to it by a client.

Why would I want to
use the password change exop when PAM handles things
just beautifully without it?

- work around problems with different implementations of the "same" hash function on different platforms
- enforce the use of a certain hash function
- provide good random data for salted hash functions
- enforce a password policy
- support for non-cleartext authentication mechanisms

Norbert Klasen, Dipl.-Inform.
DAASI International GmbH                 phone: +49 7071 29 70336
Wilhelmstr. 106                          fax:   +49 7071 29 5114
72074 Tübingen                           email: norbert.klasen@daasi.de
Germany                                  web:   http://www.daasi.de