[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword compare fix



At 09:19 AM 1/28/2006, Oni (Paolo Meschi) wrote:
>With this overlay a user can compare a cleartext value to an hashed
>userPassword value but also can compare the hashed value to the
>userPassword. (So he could check also if "{crypt}qWe2pXud183" is the
>stored password) 

When I noted:
   (Of course, you could tweak your implementation to be
   sensitive to whether the assertion value is hashed or
   not.)

I should have also noted that doing so will introduce a significant
security threat.  An attacker were able to obtain the hashed
password value, it could use that value to authenticate to
any user application blindly using this compare.  That is,
user applications would need to be smart enough to detect
the user provided a hash instead of a password.  Of course,
that's not likely.

Of course, this issue can be addressed by only authorizing
smart user applications services to use this compare or,
in the alternative, disable the direct (hash-to-hash) compare.

Hence, I would suggest at a minimum that a configuration option
be added to allow direct compare be disabled.  I would also
suggest writing a README or manual page which discusses the
various interoperability and security issues mentioned in this
thread.

On a code note, please avoid C++ style comments (e.g., // comment)
in contributions.

-- Kurt