httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brandon Long <>
Subject Re: feature request [Archie Cobbs <>] (fwd)
Date Thu, 10 Aug 1995 21:16:52 GMT
Last time, Brian Behlendorf uttered the following other thing:
> You actually need to store the password in plaintext, believe it or not.  MD5
> was designed to prevent network spoofing - what essentially happens is the
> server issues a challenge, the client hashes the challenge + the password and
> sends that key back to the server, the server does its own hash of the
> challenge + password, and if they match it accepts.  This way someone listing
> to the traffic can't determine a password they can use to break in.  It was
> reasoned that security on a single machine is easier to accomplish than
> security over the network.  It's not just using another form of crypt(). 
> There has been talk about modifying the proposal somehow to get rid of 
> the requirement for plaintext passwords on the server side, but I don't 
> know the details.  This is just seen as a stopgap measure to plug the 
> holes in the Basic scheme until more solid methods are available.

It doesn't actually store it in plain text.  It hashes the password
with other information known to both sides (such as the AuthRealm)
and stores that in the .htpasswd file.  That way, its at least a step
more difficult to do (you'd have to modify the client to accept
your hash instead of taking the password and making the hash itself).

So, in Brian's terminalogy, it hashes a default part of the challenge with
the password and stores this.  Then, when it issues the challenge,
the client takes the entered password and hashes it with parts of the
challenge, then hashes that with the full challenge.  That is compared 
against the same thing on the server side.


 Brandon Long   (N9WUC)     "I think, therefore, I am confused." -- RAW
 Computer Engineering   	Run Linux '95.	It's that Easy. 
 University of Illinois
		Don't worry, these aren't even my views.

View raw message