Two approaches are Kerberos and SASL EXTERNAL authentication over client
TLS certificates. Neither approach reveals private key material to the
On 12/01/15 07:39 -0500, Rich Alford wrote:
Thank you Ryan. So there's no way around that? I.e. Is there a
that can alleviate that?
On Mon, Nov 30, 2015 at 4:34 PM, Ryan Tandy <ryan(a)nardis.ca> wrote:
> On Mon, Nov 30, 2015 at 02:20:44PM -0500, Rich Alford wrote:
>> Theoretically, the password should be hashed on the client, sent across
>> the network, to be compared against the hashed passwords in the database.
> The client has no idea how the server stores or hashes passwords. The
> server might not even store them directly, but could be passing them to a
> third party (f.ex. a Kerberos KDC) for verification. So the client sends
> the password to the server in the clear (but protected by TLS), and the
> server verifies the password however it's configured to, in your case by
> hashing it and comparing the hash to the stored hash.