Author: muffin Date: 2006-03-04 16:24:28 -0500 (Sat, 04 Mar 2006) New Revision: 968
Modified: trunk/docs/spec/lib/Haver/Spec/Auth.pod Log: Auth spec updates Modified: trunk/docs/spec/lib/Haver/Spec/Auth.pod =================================================================== --- trunk/docs/spec/lib/Haver/Spec/Auth.pod 2006-02-27 13:18:58 UTC (rev 967) +++ trunk/docs/spec/lib/Haver/Spec/Auth.pod 2006-03-04 21:24:28 UTC (rev 968) @@ -32,12 +32,15 @@ If not, the server will fail the client with B<auth.fail>. If some perverted client sends an unknown auth type to AUTH:TYPE, it will disconnect -the client with a bork with C<$detail = "I don't speak french!">. +the client with a bork with C<$detail = "I don't speak french!"> or something similar. $digest is one of the parameters after the first parameter of S:AUTH:BASIC. $response is the result of hashing the concatenation of $nonce and the user's passcode using the hash function named in $digest. The $response is always base64 encoded. +Every server that supports authentication MUST provide SHA-1 and/or MD5 support for +digests, to ensure that all clients have something standard to fall back on. + See also L</PASSCODES> for instructions on creating a passcode. Thus, $response can be generated with the following perl function: @@ -82,15 +85,15 @@ hash! So they can still login to other haver servers that the user has accounts on. So, we hash the concatenation of the user's password and the hostname of the server. -Now the hash is specific to the server, the admin can't figure out the hash for the user -on other servers. +Now the hash is specific to the server, so that the admin can't figure out the hash for the +user on other servers. But, the admin, being very evil, can find out what users have the same password. To prevent this, we hash the user's password, the user's name, and the hostname of the server. This is something the client does, of course. It is very important the clients hash things -in the same way. Thus all clients must use the sha1() hash function, and base64 encode its +in the same way. Thus all clients must use the SHA-1 hash algorithm, and base64 encode its results. Also, both the hostname and username need to be lower-cased, as both are case insensitive. _______________________________________________ Haver-commits mailing list [email protected] https://mail.gna.org/listinfo/haver-commits
