Re: passwords longer than 8 characters


Subject: Re: passwords longer than 8 characters
From: Thomas Kaiser (Thomas.Kaiser@phg-online.de)
Date: Mon Jul 30 2001 - 05:36:48 EDT


Hi,

[quotings rearranged :-/ ]

>>> Support for more than 8 chars in passwords came with DHX authentication.
>>
>> Where is this limitation?

With cleartext and 2-way randnum authentication there was an limitation in
the passwords length. This limitation no longer exists when using DHX
authentication, which is built into recent AppleShare clients (so you can
use passwords with more than 8 chars without modifiying anything on your
mac)

If a Mac contants an AFP server then the server will answer the macs
FPGetSrvrInfo request with a list of UAMs it can handle. Some of them are
built-in, some of them may not. So the AppleShare client looks into the
system folder for UAMs. If there is an UAM, that matches the servers then it
will be used.

If you want to connect to NTs Services for Macintosh for example, you have
the ability to use cleartext and 2way-randnum (without dropping uam files
into the macs system folder) or you copy the MS-UAM to your mac and can use
an authentication method that allows passwords with 14 chars in length and
stronger encryption.

There are also Patches available that can be used with AppleShare IP.
Afterwards you can authenticate via PGP with your server. :-)
 
>> Is it in the uam from netatalk, or is it built in into the chooser?

You have to search on both ends of the cable ;-)

With AppleShare Client 3.6 (or 3.7? -- can't remember) Apple supported
third-party UAMs. What you mean is the servers side, I think. When using the
dhx uam with netatalk and recent AppleShare Clients on your Macs (3.8.6 or
3.8.8) then you will use automatically DHX authentication between client and
server. So you will be able to use longer passwords.

>> If it is part of the uam, it would be nice to lift that limitation,
>> because then one would be able to authenticate against external services
>> (i.e., LDAP) with longer passwords.

This can be done already.

> It's a two part thing - you need to use dhx authentication, **and** you need
> to be using the latest version of appletalk (see earlier email from
> someone).

AppleTalk is not the right word. AppleShare Client sounds better ;-)

(Please remember that with AFP 3.0 there will be no longer support for AFP
-- aka AppleShare -- over AppleTalk at all)

Regards,

Thomas



This archive was generated by hypermail 2b28 : Sun Oct 14 2001 - 03:04:46 EDT