Re: Authenticate a User.

---

• From: Måns Rullgård <mru@xxxxxxxxxxxxx>
• Date: Fri, 02 Dec 2005 18:53:20 +0000

---

"hackkaush" <hackkaush@xxxxxxxxx> writes:

> Thanks folks,
>
> It looks like PAM and getpwent()/crypt() got the maximum votes, I will
> keep it configurable, so user can set whatever he prefers. Will provide
> getpwent()/crypt() in default config, and in conf he can change it over
> to PAM if he likes. Does this sound good to everyone??

That sounds reasonable, provided you implement in a way that makes
adding more authentication methods later easy. If you one day need to
authenticate using Kerberos, adding that functionality should not
require major changes to the code.

> One more thing, the utility I am working on is like remote access, so
> the client is on different machine. Right now everything will go into
> plain text, except password, so I am planning to crypt it first and
> then send accross the network. I think for this the best approach will
> be send back the salt from the server to the client, crypt it at the
> client using that salt, and then send the crypted one to server from
> client. Let me know if you have some comments.

No good. In fact, no better than sending the password as plain text.
An attacker can simply sniff the encrypted password off the wire, and
send that when challenged. He won't find out the password, but he
will be able to gain access. To avoid a replay attack like this, you
must use a method where the salt changes each time.

--
Måns Rullgård
mru@xxxxxxxxxxxxx
.

---

• Follow-Ups:
  • Re: Authenticate a User.
    • From: JosephKK
  • Re: Authenticate a User.
    • From: hackkaush
  • Re: Authenticate a User.
    • From: hackkaush

• References:
  • Authenticate a User.
    • From: hackkaush
  • Re: Authenticate a User.
    • From: Kasper Dupont
  • Re: Authenticate a User.
    • From: Lars Kellogg-Stedman
  • Re: Authenticate a User.
    • From: Kasper Dupont
  • Re: Authenticate a User.
    • From: Lars Kellogg-Stedman
  • Re: Authenticate a User.
    • From: hackkaush

• Prev by Date: Re: how to get statistics about memory usage ?
• Next by Date: Re: Where to find the dlopen() source?
• Previous by thread: Re: Authenticate a User.
• Next by thread: Re: Authenticate a User.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Authenticate a User. ... > getpwent/cryptin default config, and in conf he can change it over ... > to PAM if he likes. ... > the client is on different machine. ... > be send back the salt from the server to the client, ... (comp.os.linux.development.apps) Re: Authenticate a User. ... It looks like PAM and getpwent/cryptgot the maximum votes, ... getpwent/cryptin default config, and in conf he can change it over ... the client is on different machine. ... be send back the salt from the server to the client, ... (comp.os.linux.development.apps) RE: Need for programmatic config:timeToleranceInSeconds, MaxReques ... un-conventional - after such point when Excel has been redone in managed ... MaxReques ... application config file for our client DLL, that is invoked as an add-in to ... Our client group attempted this without success. ... (microsoft.public.dotnet.framework.webservices.enhancements) RE: SV: [SLE] Citrix client on SuSE 9.0 ... This looks more like a browser config issue ... Basically conqueror doesn't know to use the ica client for all ... Subject: SV: Citrix client on SuSE 9.0 ... (SuSE) Re: Slow opening of files ... will post the IP config tomorrow when I can access a workstation, ... if they open the file via the Office App itself the file opens ... The client has a member server and the same ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)