Re: Configuration file with sensitive data (password)

To: debian-mentors@lists.debian.org
Subject: Re: Configuration file with sensitive data (password)
From: Nicolas Alvarez <nicolas.alvarez@gmail.com>
Date: Mon, 16 Nov 2009 15:46:12 -0300
Message-id: <[🔎] hds6ll$5cd$1@ger.gmane.org>
References: <[🔎] hdq845$edc$1@ger.gmane.org> <[🔎] Pine.LNX.4.64.0911161105380.14363@login01.caesar.elte.hu>

ERSEK Laszlo wrote:
> On Sun, 15 Nov 2009, Nicolas Alvarez wrote:
>> But where to put the password?
>>
>> Due to the protocol used during authentication, the daemon needs the
>> pass- word in plaintext form, it can't be a hash (remote client sends "I
>> want to auth", daemon sends nonce, remote client hashes password and
>> nonce, daemon compares hashes).
> 
> The image stored on the server should rather be (salt, H(salt + pass)), in
> a world-readable plaintext file.
> 
> 1. client sends auth request
> 2. daemon sends (nonce, salt)
> 3. client sends H(nonce + H(salt + pass))
> 
> I'm not saying this is secure or anything, but it might be a bit less
> insecure. The nonce should protect against replay attacks, and the salt
> against precomputed password-hash tables.

I don't have the choice of changing the protocol. Clients doing 
md5(nonce+passwd) have been in the wild for a few years now.

Reply to:

References:
- Configuration file with sensitive data (password)
  - From: Nicolas Alvarez <nicolas.alvarez@gmail.com>
- Re: Configuration file with sensitive data (password)
  - From: ERSEK Laszlo <lacos@caesar.elte.hu>

Prev by Date: RFS: ethos
Next by Date: RFS: spring
Previous by thread: Re: Configuration file with sensitive data (password)
Next by thread: Re: Bug#556347: FTBFS with binutils-gold
Index(es):
- Date
- Thread