Re: FW: Digest auth the wrong solution? from Murthy Chintalapati on 2002-10-10 (w3c-dist-auth@w3.org from October to December 2002)

From: Murthy Chintalapati <Murthy.Chintalapati@sun.com>
Date: Wed, 09 Oct 2002 18:05:47 -0700
To: Jim Whitehead <ejw@cse.ucsc.edu>
Cc: WebDAV <w3c-dist-auth@w3.org>
Message-id: <3DA4D26B.4040808@sun.com>

Daniel,

You are absolutely right in that the server-side need to know the real 
password to be able to the digest auth. However, this doesn't 
necessarily mean that the passwords are stored in clear text. For 
instance, LDAP servers (the Sun ONE Directory Server that I know for 
sure) support the notion of reversable password plugin -- where by 
server uses symmetric key algorithm (such as DES) to store password in 
an encrypted form.
regards.
-cvr

Jim Whitehead wrote:

>Accidentally caught by the spam filter. I have added
><dstone@trinity.unimelb.edu.au> to the accept2 list.
>
>- Jim
>
>-----Original Message-----
>From: Daniel Stone [mailto:dstone@trinity.unimelb.edu.au]
>Sent: Wednesday, October 09, 2002 4:46 PM
>To: w3c-dist-auth@w3.org
>Subject: [Moderator Action] Digest auth the wrong solution?
>
>Hi all,
>I'm writing MoulDAVia, a Python-based WebDAV server. Basically, it has
>interchangable backends for both authentication and retreiving/storing
>files/properties; the end aim is to have the configurable per-location
>(e.g. a shared area with no authentication and a home directory-based area
>with LDAP auth, depending on path, etc).
>Anyway, I've hit a bit of a snag trying to stay RFC-compliant: digest
>authentication.
>As far as I can tell, there's no real way to do digest authentication,
>without knowing the password server-side. For the LDAP backend, which will
>be the default (the default mode of operation will be home directories
>until I get the whole per-location thing sorted), authentication is
>performed by attempting to bind to LDAP as the given user/password pair,
>and seeing if that succeeds or not. At no stage does the server know the
>*real* password, only what the client gives it.
>Which, as far as I can tell, leaves me in a bit of a quandary trying to
>implement digest authentication. Is there any real way to do this without
>knowing the passwords server-side?
>I'm beginning to think that requiring digest auth is the wrong solution,
>and requiring a method of authentication stronger than base64 (e.g. digest
>or SSL), would be better. SSL isn't an issue to provide, but digest - now
>that's a snag. :)
>Any ideas?
>-d
>
>--
>Daniel Stone                                <dstone@trinity.unimelb.edu.au>
>Developer, Trinity College, University of Melbourne
>

Received on Wednesday, 9 October 2002 21:06:48 UTC