On Sun, 15 Nov 2009, Nicolas Alvarez wrote:
But where to put the password? Due to the protocol used during authentication, the daemon needs the pass- word in plaintext form, it can't be a hash (remote client sends "I want to auth", daemon sends nonce, remote client hashes password and nonce, daemon compares hashes).
The image stored on the server should rather be (salt, H(salt + pass)), in a world-readable plaintext file.
1. client sends auth request 2. daemon sends (nonce, salt) 3. client sends H(nonce + H(salt + pass))I'm not saying this is secure or anything, but it might be a bit less insecure. The nonce should protect against replay attacks, and the salt against precomputed password-hash tables.
lacos