[SATLUG] RE: kerberos
Bruce Dubbs
bruce.dubbs at gmail.com
Fri Dec 1 14:52:52 CST 2006
K. Spoon wrote:
> The basic gist is that you take a string, run it through the md5
> algorithm, and store the hash that's created somewhere... like, the
> /etc/passwd file or say, an LDAP server. Only the hash is saved...
> password is dropped after the hash is created.
>
> Whenever a user wants to authenticate, the application that they type
> their password into computes another md5 hash which is then sent back to
> the authentication server for it to compare against what's stored using some
> mathemagical formula I won't even pretend to understand.
This can only be secure if the hash is sent over an encrypted link. The
hash is a "password equivalent" and, if captured, can be used to make
the same authentication from another location.
Another way is to store the actual password on the server and send
something like a hash of a timestamp plus the password. The
authentication server then tests the timestamp for reasonableness (say
within a second or two) and calculates the hash from the timestamp and
the saved password. If that matches the transmitted timestamp, access
is allowed.
-- Bruce
More information about the SATLUG
mailing list