[Freeciv-Dev] Re: Passwd auth with MD5 hash

[Erik Sigra <sigra@xxxxxxx>]

tisdagen den 21 augusti 2001 21:56 skrev Trent Piepho:
> On Tue, 21 Aug 2001, Erik Sigra wrote:
> > > Still, even with ssh I can trojan the sshd on the other end to get the
> > > password.  Sending the password encrypted does no good except against
> > > sniffing attacks since the server has to decode the password to check
> > > it.
> >
> > Why would the server need to know the password to check it? Can't it just
> > compare encrypted versions?
>
> No, it can't!  Think about it, the encrypted version is stored in the save
> game file.  The encrypted version of a UNIX password is stored in the
> /etc/passwd file* where everyone can read it.  If the server just compared
> the encrypted (wrong term really, hashed is better) versions, then all you
> would have to do is send the thing you see in the save game file to the
> server!

Oops! You got me.

> * Yes, I know that if you use shadow passwords then the hash isn't world
> readable.

And the real problem is that the equivalent of shadow passwords can't be 
built into Freeciv if I understand correctly?