blob: d72c5d765ea8072f0d786217ac9e5f64ea117f99 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
Authentication
==============
Authentication is split into four parts:
1. <Authentication mechanisms> [Authentication.Mechanisms.txt]
2. <Password schemes> [Authentication.PasswordSchemes.txt]
3. <Password databases> [PasswordDatabase.txt]
4. <User databases> [UserDatabase.txt]
See also <authentication penalty> [Authentication.Penalty.txt] handling for IP
addresses. See also <authentication policy support> [Authentication.Policy.txt]
for making policy based decisions.
Authentication mechanisms vs. password schemes
----------------------------------------------
Authentication mechanisms and password schemes are often confused, because they
have somewhat similar values. For example there is a PLAIN auth mechanism and
PLAIN password scheme. But they mean completely different things.
* *Authentication mechanism is a client/server protocol*. It's about how the
client and server talk to each others in order to perform the
authentication. Most people use only PLAIN authentication, which basically
means that the user and password are sent without any kind of encryption to
the server. SSL/TLS can then be used to provide the encryption to make PLAIN
authentication secure.
* *Password scheme is about how the password is hashed in your password
database*. If you use a PLAIN scheme, your passwords are stored in cleartext
without any hashing in the password database. A popular password scheme
MD5-CRYPT (also commonly used in '/etc/shadow') where passwords looks like
"$1$oDMXOrCA$plmv4yuMdGhL9xekM.q.I/".
* Plaintext authentication mechanisms work with ALL password schemes.
* Non-plaintext authentication mechanisms require either PLAIN password scheme
or a mechanism-specific password scheme.
(This file was created from the wiki on 2019-06-19 12:42)
|