Date: Thu, 8 Jul 1999 23:13:53 +0930 (CST) From: Kris Kennaway <kkennawa@physics.adelaide.edu.au> To: Eivind Eklund <eivind@freebsd.org> Cc: Peter Wemm <peter@netplex.com.au>, security@freebsd.org Subject: Re: Improved libcrypt ready for testing Message-ID: <Pine.OSF.4.10.9907082253220.14192-100000@bragg> In-Reply-To: <19990708111429.E46370@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 8 Jul 1999, Eivind Eklund wrote:
> > I'll have to think about how multiple password hashes could best be
> > implemented - any suggestions?
>
> For the master password file itself, I guess we could just put several
> hashes in the password field, separated by commas (which I don't think
> are allowed in any of the present hashes). I don't know how to fit
> multiple hashes into the databases; I've not looked too carefully at
> these.
The issue becomes how you retrieve or query the existence of a particular
password hash. getpwent() should only return the first hash listed because
most consumers will just do a strcmp(crypt(),passwd.pw_passwd) to
veryify a password.
There should be an interface for testing the existence of a password hash of a
certain kind and retrieving it. I'll think about how to implement this...
> > I have the SRP reference implementation working at home - it requires changes
> > to clients, though.
>
> Does it require changes to clients in order to be used as a normal
> password hash, not to do challenges against? I can't remember
> anything about it that would force that?
SRP stores a salt and "verifier" (essentially just the hash of the password
taken as an exponent of a large integer modulo another large integer)
As an interim measure, this could be used as just another hash algorithm like
any other which is queried by cleartext passwords, but obviously you wouldn't
want to be querying some services using SRP and others using the plaintext of
the same password.
I should have time this weekend to knock this up together with some of the
changes discussed so far in this thread.
The simplest way to SRP-ify an application is probably to make both client and
server talk PAM and use the pam_srp module (which I haven't checked out yet).
Kris
>
> Eivind.
>
-----
"Never criticize anybody until you have walked a mile in their shoes,
because by that time you will be a mile away and have their shoes."
-- Unknown
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9907082253220.14192-100000>