[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Debugging a user authentication

On Tue, Nov 18, 2008 at 02:57:16PM +0100, Hallvard B Furuseth wrote:

> Andrew Findlay writes:
> > (1): The latest LDAP spec introduced pwprep to solve this problem,

I meant SASLprep - RFC4013

> > but hardly anything implements it yet. It will be many years before
> > you can depend on common LDAP clients doing itproperly.
> It's not just a client-side issue.  Most sites store a password hash in
> their server rather than the cleartext password.  That means the client
> needs to encode password with the same character encoding and
> preparation as whatever hashed the server-side password.  (E.g. the

Ideally password hashing should always be done by the server to avoid
risks like that. It is not always possible though :-(

> /etc/passwd program.)  Or the server needs to prepare cleartext
> passwords it receives from the client the same way, but it's likely a
> bad idea for the server to e.g. assume client passwords are latin-1 and
> convert to UTF-8.

A very bad idea indeed! The server has no way to know what character
set the client is using. That is why SASLprep has to be applied at the
client end.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |