httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: feature request [Archie Cobbs <archie@tribe.com>] (fwd)
Date Thu, 10 Aug 1995 17:15:55 GMT
   Date: Thu, 10 Aug 1995 08:27:25 -0700 (PDT)
   From: Brian Behlendorf <brian@organic.com>

   You actually need to store the password in plaintext, believe it or
   not.  MD5 was designed to prevent network spoofing - what
   essentially happens is the server issues a challenge, the client
   hashes the challenge + the password and sends that key back to the
   server, the server does its own hash of the challenge + password,
   and if they match it accepts.  This way someone listing to the
   traffic can't determine a password they can use to break in.  It
   was reasoned that security on a single machine is easier to
   accomplish than security over the network.  It's not just using
   another form of crypt().

Not *quite* --- you can get away with storing something which is the
MD5 digest of the password itself, the realm, and maybe some other
stuff.  This digest doesn't give you the actual password --- but
someone who has a user-agent which has been hacked to make "proper"
use of the digest *can* fool the server into believing that the
cracker is authorized, even without knowing the password itself.

So, the implications for security are *almost* the same as if the
passwords were stored in plaintext, except the information that
actually is stored requires some small degree of technical
sophistication to exploit...

rst



Mime
View raw message