[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Debugging a user authentication



On Tue, Nov 18, 2008 at 02:57:16PM +0100, Hallvard B Furuseth wrote:

> Andrew Findlay writes:
> > (1): The latest LDAP spec introduced pwprep to solve this problem,

I meant SASLprep - RFC4013

> > but hardly anything implements it yet. It will be many years before
> > you can depend on common LDAP clients doing itproperly.
> 
> It's not just a client-side issue.  Most sites store a password hash in
> their server rather than the cleartext password.  That means the client
> needs to encode password with the same character encoding and
> preparation as whatever hashed the server-side password.  (E.g. the

Ideally password hashing should always be done by the server to avoid
risks like that. It is not always possible though :-(

> /etc/passwd program.)  Or the server needs to prepare cleartext
> passwords it receives from the client the same way, but it's likely a
> bad idea for the server to e.g. assume client passwords are latin-1 and
> convert to UTF-8.

A very bad idea indeed! The server has no way to know what character
set the client is using. That is why SASLprep has to be applied at the
client end.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------