[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PHP: issues managing the password, what is wrong?

Howard Chu wrote:
> Zdenek Styblik wrote:
>> Jonathan Clarke wrote:
>>> On 30/09/2009 07:43, Zdenek Styblik wrote:
>>> ...
>>>> I believe this is broken, or obsolete. I'm using Perl port of Unix
>>>> crypt() function, and it works just fine for "any" password lengths.
>>>> 8 characters limitation sounds like - history :)
>>> Actually crypt() is system-dependant. Different *nixes implement it
>>> differently. Many implementations accept passwords of any length, but
>>> only use the first 8 characters to create the hash. As a result, using
>>> crypt passwords is insecure and un-portable.
>>> So, yes, it sounds like history, but that's crypt for you :)
>>> Regards,
>>> Jonathan
>> Errr ... well, it seems so.
>> I think I've hit the wall with eg. sshd x nss-switch when having
>> passwords crypted by anything else than crypt();
> nsswitch should not be used to authenticate against LDAP. That's what
> PAM is for. Clients should never know (let alone care) how the password
> is stored inside the LDAP server.

I'm not going to flame over PAM, but thanks (and no thanks - no offense).
I have no knowledge of how Padl's nss-switch works, neither I've said
client should know anything about how's password encrypted.
If nss-switch is incapable of handling anything else than crypt because
of bad design (or what), then it's sad.

>> Also, using SSHA might be a bit of overkill (I'm not defending
>> crypt()! :))
>> So, what's left? Or more, what's the suggestion - which crypt function
>> to use?
> SSHA is the default; if you have to ask then you probably shouldn't
> change it.

I think not using SSHA was recommended somewhere, because it's
heavyweight. It was probably an old book :)
Once again, I'm not *for* any specific crypto function.


Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net