Re: Confused about md5 passwords

[Stephan Siano <stephan.siano@suse.de>]

On Wednesday, 12. December 2001 17:15, Harry Hoffman wrote:
> Hi All,
>   I'm a little confused and hopefully someone can help. I've added users
> into my ldap db with md5 passwords and authentication is working just fine.
> However when I use ngrep to watch the traffic between the application
> requesting autentication and the ldap db I see the password in clear text.
> Should this be happening? If so what purpose does moving to md5 present? Or
> is it just that should someone be able to grab the ldap passwords it will
> be more difficult to crack?

Hi,
there is no algorithmic way to calculate a password from a hash value, so the 
password needs to be transferred to the LDAP server. Simple authintication 
(used by the PAM-modules) just does that. There are two ways to prevent 
tranferring cleartext passwords.
a) use TLS. In this case the password is still transferred, but the whole 
client-server communitcation is encrypted.

b) use SASL. SASL supports ways to authenticate without actually transferring 
a password. Unfortunately pam_ldap does not support SASL and the credentials 
are not stored in the directory. (A combination of nss_ldap and Kerberos may 
help here).

Yours
Stephan Siano 

-- 
Stephan Siano                           Mail:  Stephan.Siano@suse.de
SuSE Linux Solutions AG                 Phone: 06196 50951 31
Mergenthalerallee 45-47			Fax:   06196 409607
D-65760 Eschborn