Does the Samba 4 LDAP server support GSS-SPNEGO over SASL
paul
paul at subsignal.org
Mon Dec 11 12:06:52 GMT 2006
Luke Howard schrieb:
>>> Minor security note: You don't really need the plaintext, the Digest
>>> HHA1 hash for the user in the realm is sufficient and is what many
>>> implementations use to avoid storing the plaintext password on the
>>> server.
>> Hm, this sounds interesting. Which implementations use the sha1 hash,
>> and how do you tell the client? At least cyrus-sasl needs plaintext on
>> the server side AFAIK.
>
> It's not a SHA-1 hash, rather it's H(A1) from RFC 2617.
Ah, so its basically python -c "import md5; print
md5.new('username:realm:password').hexdigest()".
Still, most services using (cyrus-)sasl require access to plaintext
passwords. For digest-md5 it might be sufficient to store H(A1), but
what about other mechanisms? Since mechanism-specific passwords like
cmusaslsecret<mech> haven't made it, I see no way not to store plaintext
on the server side (which I really really hate to do).
cheers
Paul
More information about the samba-technical
mailing list