Return-Path: owner-new-httpd Received: by taz.hyperreal.com (8.6.12/8.6.5) id OAA23151; Thu, 10 Aug 1995 14:15:48 -0700 Received: from fiction.isdn.uiuc.edu by taz.hyperreal.com (8.6.12/8.6.5) with ESMTP id OAA23146; Thu, 10 Aug 1995 14:15:44 -0700 Received: (from blong@localhost) by fiction.isdn.uiuc.edu (8.6.12/8.6.12) id QAA14424 for new-httpd@hyperreal.com; Thu, 10 Aug 1995 16:16:52 -0500 Message-Id: <199508102116.QAA14424@fiction.isdn.uiuc.edu> Subject: Re: feature request [Archie Cobbs ] (fwd) To: new-httpd@hyperreal.com Date: Thu, 10 Aug 1995 16:16:52 -0500 (CDT) In-Reply-To: from "Brian Behlendorf" at Aug 10, 95 08:27:25 am From: Brandon Long X-Uri: X-Citement: Pontiac X-Disclaimer: I said what? MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1908 Sender: owner-new-httpd@apache.org Precedence: bulk Reply-To: new-httpd@apache.org Last time, Brian Behlendorf uttered the following other thing: > > You actually need to store the password in plaintext, believe it or not. MD5 > was designed to prevent network spoofing - what essentially happens is the > server issues a challenge, the client hashes the challenge + the password and > sends that key back to the server, the server does its own hash of the > challenge + password, and if they match it accepts. This way someone listing > to the traffic can't determine a password they can use to break in. It was > reasoned that security on a single machine is easier to accomplish than > security over the network. It's not just using another form of crypt(). > > There has been talk about modifying the proposal somehow to get rid of > the requirement for plaintext passwords on the server side, but I don't > know the details. This is just seen as a stopgap measure to plug the > holes in the Basic scheme until more solid methods are available. It doesn't actually store it in plain text. It hashes the password with other information known to both sides (such as the AuthRealm) and stores that in the .htpasswd file. That way, its at least a step more difficult to do (you'd have to modify the client to accept your hash instead of taking the password and making the hash itself). So, in Brian's terminalogy, it hashes a default part of the challenge with the password and stores this. Then, when it issues the challenge, the client takes the entered password and hashes it with parts of the challenge, then hashes that with the full challenge. That is compared against the same thing on the server side. Brandon -- Brandon Long (N9WUC) "I think, therefore, I am confused." -- RAW Computer Engineering Run Linux '95. It's that Easy. University of Illinois blong@uiuc.edu http://www.uiuc.edu/ph/www/blong Don't worry, these aren't even my views.