[clug] A Question About Password Handling and Authentication Mechanisms

Mick Wahren mick at micknsteph.com
Tue Nov 25 13:44:39 MST 2014 


> On 25 Nov 2014, at 17:08, Bob Edwards <Robert.Edwards at anu.edu.au> wrote:
> 
>> On 25/11/14 16:52, James Ring wrote:
>> I'm no expert but you may be describing Kerberos:
>> https://en.wikipedia.org/wiki/Kerberos_(protocol)
> 
> I'd also recommend reading:
> http://web.mit.edu/kerberos/www/dialogue.html
> 
> Bob Edwards
> 
>>> On Mon, Nov 24, 2014 at 9:36 PM, jm <jeffm at ghostgun.com> wrote:
>>> 
>>> I've been meaning to look into/ask if there exists a challenge-response
>>> mechanism for passwords where the password doesn't have to be stored in
>>> plain text or in a recoverable form, ie it can be stored using a
>>> cryptographic hash. In fact, no where is the password stored or
>>> transmitted over a channel in a recoverable form. Does anyone know of
>>> such a beast?
>>> 
>>> I image it would operate something like this:
>>> 
>>> Say you have a password in plain text, password. It is then stored on
>>> the server hashed, Hserver(password). Upon connection from a client a
>>> challenge is sent to the client and using the plain text password
>>> entered by the user the client carries out a one way calculation, call
>>> this hash Hclient(password, challenge) which is then sent to the server
>>> for verification. To do this the server performance another calculation
>>> on the hashed password, Verifier(stored_password, challenge), and
>>> compares it to the client supplied hash. In other words,
>>> 
>>> 1)  Server stores password
>>>   stored_password = Hserver(password)
>>> 
>>> 2) Client connects.
>>> 
>>> 3) Server send challenge to client, challenge.
>>> 
>>> 4) Client calculates response to challenge with a one-way function
>>>   response = Hclient(password, challenge)
>>> 
>>> 5) Client sends response to server
>>> 
>>> 6) Server calculated verifier code
>>>    verifier = Verifier(stored_password, challenge)
>>> 
>>> 7) Server compares results and allows access if there is a match
>>>     if response == verifier:
>>>         allow access
>>>    else:
>>>       disconnect
>>> 
>>> 
>>> Jeff.

If all that seems a bit daunting to setup, try FreeIPA (www.FreeIPA.org) it will do all of the heavy lifting for you. It will also allow you to create a trust relationship with AD and centrally manage your sudo rules. 

It's very simple to install. ipa-server-install. Done. 

Cheers
Mick

More information about the linux mailing list