Subject: Re: [netatalk-admins] 2-way encrypted passwords?
From: Steven N. Hirsch (shirsch@ibm.net)
Date: Tue Aug 12 1997 - 18:15:16 EDT
On Tue, 12 Aug 1997, Bill Studenmund wrote:
> On Tue, 12 Aug 1997, Ben Burch wrote:
>
> > Hello, folks!
> >
> > Okay... I am uncomfortable with the fact that passwords in netatalk are
> > being sent "clear". Short of Kerberos, which I know is in some
> > non-completed state, is there a patch to use the same password encryption
> > scheme Appleshare itself uses? If not, is there some documentation on
> > how this scheme works so that I could implement said patch myself?
>
> The problem is that the Apple two-way encrypted technique requires the
> plain-text password be kept on the server. Other than that, it souldn't be
> too hard. IA, 2nd edition describes the encryption technique.
>
All,
Never fear, gents. I've had this working for months, and have finally
found time to clean up and comment the patches. They cover:
1) One man's implementation of the "Randnum exchange" UAM. Yes, it does
require that a clear-text password reside on disk at the server. However,
it does _not_ have to be the same as any/all other passwords that might be
owned by the user. I think it's reasonably secure, but would love
feedback.
2) Support for the Apple IIe (w/ Apple Workstation card) and Apple IIgs
(built-in LocalTalk port).
3) Real Soon Now: Support for PC/Win clients (I just have to sit down and
code the name munging logic).
I'll post the diffs here later this evening after giving them another
once-over. It will be necessary to grab a library supporting DES encrypt
and decrypt operations. I downloaded 'libdes' from a site in Australia,
but it is not legal for DES code to travel in the other direction - go
figure.
Stay tuned.
Steve
This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:26:07 EST