Re: Configuration file with sensitive data (password)
On Sun, 15 Nov 2009, Nicolas Alvarez wrote:
But where to put the password?
Due to the protocol used during authentication, the daemon needs the pass-
word in plaintext form, it can't be a hash (remote client sends "I want to
auth", daemon sends nonce, remote client hashes password and nonce, daemon
The image stored on the server should rather be (salt, H(salt + pass)), in
a world-readable plaintext file.
1. client sends auth request
2. daemon sends (nonce, salt)
3. client sends H(nonce + H(salt + pass))
I'm not saying this is secure or anything, but it might be a bit less
insecure. The nonce should protect against replay attacks, and the salt
against precomputed password-hash tables.