From owner-freebsd-security  Mon Jun  1 17:20:50 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA19880
          for freebsd-security-outgoing; Mon, 1 Jun 1998 17:20:50 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from dingo.cdrom.com (dingo.cdrom.com [204.216.28.145])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA19836
          for <freebsd-security@FreeBSD.ORG>; Mon, 1 Jun 1998 17:20:25 -0700 (PDT)
          (envelope-from mike@dingo.cdrom.com)
Received: from dingo.cdrom.com (localhost [127.0.0.1])
	by dingo.cdrom.com (8.8.8/8.8.5) with ESMTP id QAA01886;
	Mon, 1 Jun 1998 16:11:17 -0700 (PDT)
Message-Id: <199806012311.QAA01886@dingo.cdrom.com>
X-Mailer: exmh version 2.0zeta 7/24/97
To: Poul-Henning Kamp <phk@critter.freebsd.dk>
cc: Robert Watson <robert+freebsd@cyrus.watson.org>,
        Eivind Eklund <eivind@yes.no>, "J.A. Terranson" <sysadmin@mfn.org>,
        "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
Subject: Re: MD5 v. DES? 
In-reply-to: Your message of "Mon, 01 Jun 1998 21:57:29 +0200."
             <5630.896731049@critter.freebsd.dk> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 01 Jun 1998 16:11:16 -0700
From: Mike Smith <mike@smith.net.au>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> In message <Pine.BSF.3.96.980601154152.4784E-100000@fledge.watson.org>, Robert 
> Watson writes:
> 
> >> I have been considering if we shouldn't introduce a 
> >> 
> >> 	int checkuserpassword(char *user, char *password);
> >> 
> >> in some library, rather than having all these programs know that
> >> you should strcmp after calling crypt().  This would allow us to
> >> do what you propose or RADIUS authentication for that matter...
> >
> >I personally dislike this idea -- where does this leave one-time-password
> >users, etc?
> 
> Perfectly safe as always.  All it does is to make sure that you don't have
> to modify, ftpd, telnetd, login, popper, and uhm... what is the last one,
> I keep forgetting, Hmm.....

Actually, it sucks.  See PAM and the XSSO stuff for some better 
directions, but basically it still loses.

The principal difficulty is that many more sophisticated password 
schemes are challenge-response based, eg. s/key, SecurID, etc.  There's 
no easy way for the authenticator to backchat with the user, which is 
often required (but not always possible, eg. POP3).

-- 
\\  Sometimes you're ahead,       \\  Mike Smith
\\  sometimes you're behind.      \\  mike@smith.net.au
\\  The race is long, and in the  \\  msmith@freebsd.org
\\  end it's only with yourself.  \\  msmith@cdrom.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message