Re: Passwd change security (was CVS update: samba/source)

David Collier-Brown (davecb@Canada.Sun.COM)
Fri, 20 Mar 1998 15:19:24 -0500

Date:	Fri, 20 Mar 1998 15:19:24 -0500
From:	David Collier-Brown <davecb@Canada.Sun.COM>
To:	jallison@whistle.com, Multiple recipients of list <samba-technical@samba.anu.edu.au>
Subject: Re: Passwd change security (was CVS update: samba/source)

Jeremy Allison wrote:
> You misunderstood me. The only way a normal user
> can send a password change request using the new
> client/server protocol is if they entered the
> old password correctly as well (otherwise the
> new password won't decrypt properly at the
> server and, as the hash of the new password
> is used to decrypt the hash of the old password,
> which is also sent and checked then the old
> password has to be correct, if you get my
> meaning).

Good, that was what I hoped was ocurring.
I was mildly unsure that MS was really
doing it right (;-))

--dave

-- 
David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   | davecb@hobbes.ss.org, canada.sun.com
M2N 1Y3. 416-223-8968 | http://java.science.yorku.ca/~davecb