On Mon, Sep 23, 2002 at 11:36:33PM -0400, James O'Kane wrote: > Note to list admin: Cancel my other post, I was subscribed the wrong address. > I'm picking up work on the pam-mysql module again, and I've come across a > issue. Is it better to send the user-entered encrypted password to the > mysql server to compare to what it has, or ask the server for the stored > encrypted password and compare it within the module. > Some sql to help clarify: > select user from passwd-db where user='username' and passwd = 'encryptedpassword'; > This would return a username if the password matches and 0 results if they > don't. > - or - > select password from passwd-db where user='username'; > This will return the encrypted password that the database has stored. > In the first case, we have to send a password to the database which could > be logged my the server if select queries logged. But the server already has the encrypted password. The worst that happens if the SQL server logs queries is that an attacker who compromises your authentication server can now get a bunch of wrong passwords, as well, and those passwords are, well -- wrong. I don't particularly care for either of the methods you described above; the first one is better, because it requires the client to supply the password for the server to verify, but it's only really better if you can prevent a hostile client from also SELECTing the password field. I'm not sure that's possible with MySQL. Steve Langasek postmodern programmer
Attachment:
pgp00052.pgp
Description: PGP signature
