httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Re: feature request [Archie Cobbs <>] (fwd)
Date Thu, 10 Aug 1995 15:27:25 GMT
On Thu, 10 Aug 1995, Paul Richards wrote:
> In reply to Brian Behlendorf who said
> > 
> > > I'd use the term "unwise", but yeah, I agree that it shouldn't be 
> > > suggested or necessarily enabled in our setup.  MD5 authentication is 
> > > going to require storing something other than the crypted password 
> > > anyways.
> > 
> > That's true (and too bad for me). By the way, any projections as to
> > when this MD5 password encoding gets implemented?
> > 
> Why would you need to store something other than the password for
> MD5?

You actually need to store the password in plaintext, believe it or not.  MD5
was designed to prevent network spoofing - what essentially happens is the
server issues a challenge, the client hashes the challenge + the password and
sends that key back to the server, the server does its own hash of the
challenge + password, and if they match it accepts.  This way someone listing
to the traffic can't determine a password they can use to break in.  It was
reasoned that security on a single machine is easier to accomplish than
security over the network.  It's not just using another form of crypt(). 

There has been talk about modifying the proposal somehow to get rid of 
the requirement for plaintext passwords on the server side, but I don't 
know the details.  This is just seen as a stopgap measure to plug the 
holes in the Basic scheme until more solid methods are available.


--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--  http://www.[hyperreal,organic].com/

View raw message