COmanage Users List

["Basney, Jim" <>]

Hi Gerben,

On 9/13/16, 12:33 AM, Gerben Venekamp wrote:
>>On 09 Sep 2016, at 19:44, Basney, Jim 
>><>
>> wrote:
>> 
>> What I have in mind for application-specific passwords in CILogon 2.0 is
>> storing LDAP-style password verifiers (hashes). I wouldn't want to store
>> encrypted passwords.
>
>I fail to understand why? My knowledge on LDAP might be too limited. To
>me it seems that it doesn¹t matter if you store encrypted password or
>hashes.

What key do you encrypt the passwords with and how do you protect that
key? As you noted in your original message, storing the decryption keys
with the passwords would not be a good idea. I think hashes are
safer/simpler to work with.

>>Of course this will restrict us to
>> supporting only those applications that can use LDAP-style password
>> verifiers.
>
>Again, my LDAP knowledge might need to grow a bitŠ What I am trying to do
>is to leverage PAM to do the authentication and not have an application
>implement the LDAP lookup and verification. In what way are application
>then restricted to use LDAP-style password verifiers?

Rather than trying to figure out which password hashing algorithms are
supported by which applications, I think it's better to standardize on
LDAP password hashing and use for example pam_ldap for verification. But
it depends on your user requirements.

Regards,
Jim