[SATLUG] RE: kerberos
K. Spoon
kell at spoonix.com
Fri Dec 1 10:48:28 CST 2006
On Fri, Dec 01, 2006 at 09:55:34AM -0600, Justizin wrote:
> On 12/1/06, K. Spoon <kell at spoonix.com> wrote:
> >How does an md5 hash not satisfy this requirement? You don't have to
> >store passwords in LDAP in the clear... md5 and crypt are supported out
> >of the box.
>
> Well, this means I have to hand out a private key to a thousand
> application developers, right? :/
What? No.
http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html
The basic gist is that you take a string, run it through the md5
algorithm, and store the hash that's created somewhere... like, the
/etc/passwd file or say, an LDAP server. Only the hash is saved...
password is dropped after the hash is created.
Whenever a user wants to authenticate, the application that they type
their password into computes another md5 hash which is then sent back to
the authentication server for it to compare against what's stored using some
mathemagical formula I won't even pretend to understand.
If the 2 hashes match up, the server sends back a thumbs up and the
application awards authentication to the user... if not, try again, Beavis.
No common cert is needed (because the md5 algorithm is what's shared),
and the only thing sent over the wire is the hash, not the password
itself. This is why everything from login to apache uses it, and
because there's no (easy) way to "decrypt" the password from the hash
it's why so many authentication systems require the admin to reset
instead of resend passwords.
Also.. I happen to know for a fact that Plone in 2003 was indeed capable
of handling not only authentication via LDAP, but could even speak md5.
In addition, we used posixGroups to establish user authorization to
various parts of the site.
--
K. Spoon <kell at spoonix.com>
More information about the SATLUG
mailing list