[Standards-JIG] Re: Re: JEP-0077: In-Band Registration

Chris Mullins chris.mullins at coversant.net
Mon Jul 17 20:10:47 UTC 2006


Piotr Szturmaj Wrote:

> All I want is storing hashes on disk instead of 
> plain text passwords (even encrypted). 

That's always been an issue with the legacy authentication types - the
need to store the real password. Storing a hash + salt is certainly
preferable. 

This problem though is dwarfed, in my opinion, by a much bigger one. 

I general, most people run our server (and I'm going to assume that our
use case is fairly standard and extends to a number of other
installations) against an LDAP or Active Directory store. When the user
attempts to authenticate, we authenticate them against the back-end data
store, be it AD, LDAP, or something custom.

For AD and LDAP stores though, we NEED the original password. All of the
Windows API's require it, all of the LDAP API's require it. This means
the actual password is transferred across the wire each time a user logs
in. Granted, it's protected by TLS or SSL most of the time, but this is
still a huge problem - much bigger than storing the actual password on
the disk.

Now, to mitigate this I wrote a custom SASL mechanism that does GSSAPI
(aka: SSPI in Microsoft land). This is something I keep meaning to
write-up as a JEP, as it's pretty easy. I'm even willing to provide.Net
client-side sample code. In terms of standards though, this isn't
something that's widely supported. 

PSA: Where's that "How to write a JEP" link again? :)

--
Chris Mullins
http://www.coversant.net/blogs/cmullins



More information about the Standards mailing list