[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Configuration file with sensitive data (password)



On Sun, 15 Nov 2009, Nicolas Alvarez wrote:

But where to put the password?

Due to the protocol used during authentication, the daemon needs the pass-
word in plaintext form, it can't be a hash (remote client sends "I want to
auth", daemon sends nonce, remote client hashes password and nonce, daemon
compares hashes).

The image stored on the server should rather be (salt, H(salt + pass)), in a world-readable plaintext file.

1. client sends auth request
2. daemon sends (nonce, salt)
3. client sends H(nonce + H(salt + pass))

I'm not saying this is secure or anything, but it might be a bit less insecure. The nonce should protect against replay attacks, and the salt against precomputed password-hash tables.

lacos


Reply to: