[nos-bbs] JNOS md5 authentication

M Langelaar maiko at pcsinternet.ca
Sat Feb 8 13:42:10 EST 2020


Hi Michael,

The new JNOS password management breaks the MD5AUTHENTICATE in the
sense that we can not use the cleartext password anymore. The password is
replaced with a HASH + SALT pair now. I was thinking perhaps we could keep
the MD5AUTHENTICATE working by using the SALT value instead of cleartext
password, but then one is giving away a portion of a secure database.

So last night I was thinking, why not have a MD5AUTHENTICATE password field
added to the password management, it can be a random key per user, and that
would be the key assigned to the outpost client instead of their password.

Or if you think the SALT value is enough (I think it is anyways), then 
to keep it
working for those using the new stuff, we replace password with SALT value.

I hope this makes sense. IF you really want to continue to use MD5 ...

Is the logistics of your outpost operations greatly complicated by this 
or not ?

Maiko

On 07/02/2020 11:13 p.m., Michael Fox - N6MEF wrote:

> The way Outpost currently works is you configure a username and password for
> the BBS.  When Outpost connects via telnet:
> -- If it does NOT see the MD5 challenge, it logs in with the username and
> password as usual
> -- If it DOES see the MD5 challenge, it runs the algorithm against the
> challenge and the password to produce and send back the proper response.
>
> I don't understand enough about the implications of what you're asking.  But
> if you used something other than the user's password in the algorithm, then
> the client would also have to know what that is in order to produce the
> proper response, right?  And of course, its important that multiple clients
> don't share the same "secret" info.
>
> Michael, N6MEF
>
>
>
> -----Original Message-----
> From: nos-bbs <nos-bbs-bounces at lists.tapr.org> On Behalf Of Langelaar
> Sent: Friday, February 7, 2020 11:19 AM
> To: TAPR xNOS Mailing List <nos-bbs at lists.tapr.org>
> Subject: [nos-bbs] JNOS md5 authentication
>
> Is it necessary to have to use the password in the md5 authentication ?
>
> Can it be any value that I have stored in the user database ? Like the
> random salt ?
>
> What are the implications for the client side, in particular outpost ?
>
> Maiko / VE4KLM
>
>
> _______________________________________________
> nos-bbs mailing list
> nos-bbs at lists.tapr.org
> http://lists.tapr.org/mailman/listinfo/nos-bbs_lists.tapr.org



More information about the nos-bbs mailing list