[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unix auth via LDAP & now need to add Samba!

On Wed, 1 May 2002, David Wright wrote:
> Your step-by-step illustrates the flaw perfectly! The server stores HP.
> But HP can be used for authentiation (by hashing with the challenge to
> produce HC)! It's true that the cleartext of the password P is safe, so if

HPC nor HPS ever appears on the wire, so where did the attacker get it?
He can't calculate it unless he knows the password.

Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".