summaryrefslogtreecommitdiffstats
path: root/doc/wiki/Authentication.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/wiki/Authentication.txt')
-rw-r--r--doc/wiki/Authentication.txt37
1 files changed, 37 insertions, 0 deletions
diff --git a/doc/wiki/Authentication.txt b/doc/wiki/Authentication.txt
new file mode 100644
index 0000000..d72c5d7
--- /dev/null
+++ b/doc/wiki/Authentication.txt
@@ -0,0 +1,37 @@
+Authentication
+==============
+
+Authentication is split into four parts:
+
+ 1. <Authentication mechanisms> [Authentication.Mechanisms.txt]
+ 2. <Password schemes> [Authentication.PasswordSchemes.txt]
+ 3. <Password databases> [PasswordDatabase.txt]
+ 4. <User databases> [UserDatabase.txt]
+
+See also <authentication penalty> [Authentication.Penalty.txt] handling for IP
+addresses. See also <authentication policy support> [Authentication.Policy.txt]
+for making policy based decisions.
+
+Authentication mechanisms vs. password schemes
+----------------------------------------------
+
+Authentication mechanisms and password schemes are often confused, because they
+have somewhat similar values. For example there is a PLAIN auth mechanism and
+PLAIN password scheme. But they mean completely different things.
+
+ * *Authentication mechanism is a client/server protocol*. It's about how the
+ client and server talk to each others in order to perform the
+ authentication. Most people use only PLAIN authentication, which basically
+ means that the user and password are sent without any kind of encryption to
+ the server. SSL/TLS can then be used to provide the encryption to make PLAIN
+ authentication secure.
+ * *Password scheme is about how the password is hashed in your password
+ database*. If you use a PLAIN scheme, your passwords are stored in cleartext
+ without any hashing in the password database. A popular password scheme
+ MD5-CRYPT (also commonly used in '/etc/shadow') where passwords looks like
+ "$1$oDMXOrCA$plmv4yuMdGhL9xekM.q.I/".
+ * Plaintext authentication mechanisms work with ALL password schemes.
+ * Non-plaintext authentication mechanisms require either PLAIN password scheme
+ or a mechanism-specific password scheme.
+
+(This file was created from the wiki on 2019-06-19 12:42)
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-26 16:08:57 +0000