[ZODB-Dev] CHAP with ZEO
Jeremy Hylton
jeremy@digicool.com
Mon, 21 May 2001 19:29:06 -0400 (EDT)
I do not think that CHAP is a good scheme to use. It is weaker than
even HTTP digest authentication. The disadvantages section of the
CHAP RFC is short, but has one pretty significant limitation:
CHAP requires that the secret be available in plaintext
form. Irreversably encrypted password databases commonly available
cannot be used.
The HTTP digest authentication mechanism (RFC 2069) is a variation on
the same theme, but seems to be designed more carefully. Certainly,
the operational environment for PPP servers is different than it is
for HTTP servers. A ZEO environment is more like HTTP than PPP.
RFC 2069 has a nice security considerations section that is relevant
to the question of a ZEO authentication mechanism. Here's the intro:
Digest Authentication does not provide a strong authentication
mechanism. That is not its intent. It is intended solely to
replace a much weaker and even more dangerous authentication
mechanism: Basic Authentication. An important design constraint is
that the new authentication scheme be free of patent and export
restrictions.
Most needs for secure HTTP transactions cannot be met by Digest
Authentication. For those needs SSL or SHTTP are more appropriate
protocols. In particular digest authentication cannot be used for
any transaction requiring encrypted content. Nevertheless many
functions remain for which digest authentication is both useful
and appropriate.
MP> Is this something we should think about rolling into ZEO? This
MP> may encourage people to build more distributed Zope sites,
MP> possibly even large clusters run by the community. The
MP> implementation was done by subclassing StorageServer and
MP> ClientStorage, so it's totally b/w compatable and optional.
As Andrew said in an earlier message, we do a disservice to the
community if we promote a system with a security infrastructure that
we know is substandard.
Jeremy