Subject: Re: [netatalk-admins] Netatalk Security
From: a sun (asun@saul10.u.washington.edu)
Date: Wed Aug 11 1999 - 16:42:11 EDT
Someone please tell me why I should possibly want this when I have a
perfectly valid (er, encrypted) /etc/passwd file at hand?
Do I _need_ this (~/.passwd) in order to allow changing passwords via the
dialog? In order to not use cleartext passwords in the Chooser dialog.
isn't this a faq? i know that it's showed up in the list numerous
times.
here's the deal: /etc/passwd keeps a 1-way hash of your password. you
can't actually extract the real password from it. the encrypted random
number authentication methods, on the other hand, need to use an
actual password to encrypt random numbers. see a problem? currently,
my patchset keeps that password in ~/.passwd. in the next release,
you'll be able to store everyone's passwords in a global afppasswd
file that only root should be able to read.
of course, that brings us to the next question: why isn't there an
authentication method that just passes an encrypted cleartext password
through? well, there is. it's called DHX (for diffie-hellman
authentication) and will be standard with the next appleshare client
from apple. it currently is available as a separate uam with 3.8.3. my
current development patchset also has support for it if you have
access to the openssl libraries.
-a
This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:17:03 EST