[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Confused on best secuirty method...
On Wed, Jul 25, 2001 at 09:36:41AM -0400, Kevin J. Menard, Jr. wrote:
> SSHA is a seeded algorithm and produces a unique result every time.
> However, SSL/TLS is still in order, because it is possible, albeit very
> hard, to crack that password hash, if it's sniffed being sent in the clear.
Indeed.
> Actually, I think you can even send that hash that you sniff right back at
> openldap and it would authenticate.
I hope, and believe, that is not correct. I tried binding with the hash
itself, and with "{SSHA}" + hash, and neither bind was successful (OpenLDAP
2.0.11). Any system that allowed a client to present th hash itself in lieu
of the appropriate cleartext password would be seriously broken.
-Peter