From owner-freebsd-security Thu Jul 8 8:46:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id 69921154F5 for ; Thu, 8 Jul 1999 08:46:31 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id RAA11136; Thu, 8 Jul 1999 17:46:31 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id RAA51572; Thu, 8 Jul 1999 17:46:23 +0200 (MET DST) Date: Thu, 8 Jul 1999 17:46:23 +0200 From: Eivind Eklund To: Kris Kennaway Cc: Peter Wemm , security@freebsd.org Subject: Re: Improved libcrypt ready for testing Message-ID: <19990708174622.B50609@bitbox.follo.net> References: <19990708111429.E46370@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from Kris Kennaway on Thu, Jul 08, 1999 at 11:13:53PM +0930 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Jul 08, 1999 at 11:13:53PM +0930, Kris Kennaway wrote: > On Thu, 8 Jul 1999, Eivind Eklund wrote: > > Kris Kennaway wrote: > > > I have the SRP reference implementation working at home - it > > > requires changes to clients, though. > > > > Does it require changes to clients in order to be used as a normal > > password hash, not to do challenges against? I can't remember > > anything about it that would force that? > > SRP stores a salt and "verifier" (essentially just the hash of the password > taken as an exponent of a large integer modulo another large integer) > > As an interim measure, this could be used as just another hash > algorithm like any other which is queried by cleartext passwords, > but obviously you wouldn't want to be querying some services using > SRP and others using the plaintext of the same password. I disagree. In my opinion, you would obviously want to - to give a simple example, I'm willing to type my plaintext password at a login prompt, but I'm not willing to transfer it in the clear using POP3. > I should have time this weekend to knock this up together with some > of the changes discussed so far in this thread. > > The simplest way to SRP-ify an application is probably to make both > client and server talk PAM and use the pam_srp module (which I > haven't checked out yet). This is the next step after actually having the SRP password hashes in the database in the first place :) Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message