CRAM Auth and Server Reinstall

I discovered recently that Drupal 5 does not encrypt the password on login. I cconsider this a serious hole in security as a third party could intercept communication and capture the password.

Ideally, we'd enable SSL access to the site so the line is encrypted. This cannot be done right now due to the aging OS on the deninet server. Setting up SSL on Gentoo is a mess. For now, I've installed the CRAM module to at least patch the hole. This module sends a random token to the user. The token is used in combination with the password to generate a MD5 hash using Javascript on the client side. This hash is what's sent over the line -- no plaintext passwords. The server then takes the token and looks up your password and generates another hash. If the two match, you're logged in.

This isn't the greatest security, but it's better than nothing (which is what we had before). MD5 hashes can be broken fairly easily, and the token can be intercepted on send. I hope to keep this module around even after implementing SSL, thereby making it much, much harder to break. 

I'd like to deal with the issue of the aging OS and lack of SSL in one fell swoop. In order to do this, I plan to wipe the deninet server clean and reinstall Ubuntu Server 7.10 on it. User home directories, including the one on which the main site is stored, will be preserved as they are on a different disk. Since I will be out for three weeks starting Sunday, I'd like to take care of this ASAP. 

Please be advised this will create some downtime while I reconfigure the system.