[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unix auth via LDAP & now need to add Samba!



On Wed, 1 May 2002, David Wright wrote:
> Your step-by-step illustrates the flaw perfectly! The server stores HP.
> But HP can be used for authentiation (by hashing with the challenge to
> produce HC)! It's true that the cleartext of the password P is safe, so if

HPC nor HPS ever appears on the wire, so where did the attacker get it?
He can't calculate it unless he knows the password.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".