Subject: Re: [netatalk-admins] Information on other authentications
From: Michael Han (mikehan@best.com)
Date: Wed Apr 21 1999 - 02:18:42 EDT
Previously...
>On Tue, 20 Apr 1999, Alex Yu wrote:
>
>} I think we really need to find a way that don't require a cleartext .passwd.
>} I mean.... what's the point by using two way encryption if .passwd is a
>} cleartext passwd?
>
>>From the fetchmail Design Notes, which answers this question:
>
> --- 8< ---
>[Thank you, I think I will snip it]
> --- 8< ---
I think Alex is trying to point out that there's something wrong with
rand2num *itself*. And if he wasn't, I'd sure like to make the same
assertion. rand2num is potentially better than cleartext, but still
doesn't work the way I tend to think about password encryption. A
hashed password should be sent, which is compared to the same which is
stored on the server. That way a root compromise of the server doesn't
compromise all the user passwords on the box. And root can't casually
be grabbing user passwords either.
fetchmail is a client, and hence, for it to work in an automagic
fashion, it needs your password. afpd is a server and shouldn't need
to know anyone's password. Only if the password provided is authentic.
The real question is if anyone feels like trying to write a 'crypt'
uam or something like that. I think there's a need, personally. I
suppose there's a new kerberos UAM in the works, too.
-- mikehan@best.com I will not prescribe medication - The collected wisdom of Bart Simpson
This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:16:37 EST