Date: Fri, 20 Mar 1998 15:19:24 -0500 From: David Collier-Brown <davecb@Canada.Sun.COM> To: jallison@whistle.com, Multiple recipients of list <samba-technical@samba.anu.edu.au> Subject: Re: Passwd change security (was CVS update: samba/source)
Jeremy Allison wrote:
> You misunderstood me. The only way a normal user
> can send a password change request using the new
> client/server protocol is if they entered the
> old password correctly as well (otherwise the
> new password won't decrypt properly at the
> server and, as the hash of the new password
> is used to decrypt the hash of the old password,
> which is also sent and checked then the old
> password has to be correct, if you get my
> meaning).
Good, that was what I hoped was ocurring.
I was mildly unsure that MS was really
doing it right (;-))
--dave
-- David Collier-Brown, | Always do right. This will gratify some people 185 Ellerslie Ave., | and astonish the rest. -- Mark Twain Willowdale, Ontario | davecb@hobbes.ss.org, canada.sun.com M2N 1Y3. 416-223-8968 | http://java.science.yorku.ca/~davecb