[Date Prev][Date Next]
Re: SASL and PAM based password changing
--On Freitag, 8. Februar 2002 22:34 -0500 Carl J Meyer <firstname.lastname@example.org>
On Fri, 8 Feb 2002, Norbert Klasen wrote:
--On Donnerstag, 7. Februar 2002 19:44 +0530 Shanker Balan
> Correct. Hmm... so what purpose does the OpenLDAP "extended operations"
The "Password Modify Extended Operation" (see RFC 3062) has been defined
to create a standard way for updating a user's password. As currently
implemented in OpenLDAP, it will automatically hash the password before
storing it in the userPassword attribute type.
It seems to me that, given a choice, I would on principle rather
have PAM hash the password BEFORE transmission to the LDAP server (which I
can do with pam_password <algorithm>) rather than having the server do the
hash after sending the password cleartext. I guess if I care about
security I'm of course using SSL anyways, but still...
The password will always be transmitted as cleartext when ldap simple bind
(and SASL PLAIN) is used. To avoid this, one can either use a security
layer which provies privacy protection or use non-cleartext authentication
mechanisms. If the data transmission is encrypted, what is the gain of
additionally hashing the password when it is changed/set? And for
password-based authentication mechanisms which do not transfer the password
as cleartext, the cleartext password is generally required by the server to
be able to verify the credentials presented to it by a client.
Why would I want to
use the password change exop when PAM handles things
just beautifully without it?
- work around problems with different implementations of the "same" hash
function on different platforms
- enforce the use of a certain hash function
- provide good random data for salted hash functions
- enforce a password policy
- support for non-cleartext authentication mechanisms
Norbert Klasen, Dipl.-Inform.
DAASI International GmbH phone: +49 7071 29 70336
Wilhelmstr. 106 fax: +49 7071 29 5114
72074 Tübingen email: email@example.com
Germany web: http://www.daasi.de