On Sun, 15 Nov 2009, Nicolas Alvarez wrote:
But where to put the password?
Due to the protocol used during authentication, the daemon needs the pass-
word in plaintext form, it can't be a hash (remote client sends "I want to
auth", daemon sends nonce, remote client hashes password and nonce, daemon
compares hashes).
The image stored on the server should rather be (salt, H(salt + pass)), in
a world-readable plaintext file.
1. client sends auth request
2. daemon sends (nonce, salt)
3. client sends H(nonce + H(salt + pass))
I'm not saying this is secure or anything, but it might be a bit less
insecure. The nonce should protect against replay attacks, and the salt
against precomputed password-hash tables.
lacos
--
To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
