Re: Confused about md5 passwords

[Harry Hoffman <hhoffman@ip-solutions.net>]

Stephan, Peter,
   Thanks, for the response. Does the same go for SHA, and do you know if
nss_ldap even supports SHA? I definetely don't want to switch to Kerberos.

Thanks,
Harry


Quoting Stephan Siano <stephan.siano@suse.de>:

 Hi,
 there is no algorithmic way to calculate a password from a hash value, so the
 
 password needs to be transferred to the LDAP server. Simple authintication 
 (used by the PAM-modules) just does that. There are two ways to prevent 
 tranferring cleartext passwords.
 a) use TLS. In this case the password is still transferred, but the whole 
 client-server communitcation is encrypted.
 
 b) use SASL. SASL supports ways to authenticate without actually transferring
 
 a password. Unfortunately pam_ldap does not support SASL and the credentials
 
 are not stored in the directory. (A combination of nss_ldap and Kerberos may
 
 help here).
 
 Yours
 Stephan Siano 
 
 -- 
 Stephan Siano                           Mail:  Stephan.Siano@suse.de
 SuSE Linux Solutions AG                 Phone: 06196 50951 31
 Mergenthalerallee 45-47			Fax:   06196 409607
 D-65760 Eschborn
 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/