Re: Security

[Stevie O]

At 09:28 PM 9/16/2001 -0700, you wrote:
> On Sun, Sep 16, 2001 at 08:37:26PM -0400, Stevie O wrote:
> > The method I suggestion is no stronger than pserver is; it simply makes it
> > harder for someone to sniff the password off the network (which is
>
> Harder how?
>
> I don't have to decrypt your DES encrypted password.

My password isn't DES encrypted. I think you need to re-read the post.


> I just have to use my hacked cvs client to take your DES encrypted password
> from the command line and use it directly.

No, you don't. You don't know my password.


> It gains nothing.
>
> This is what MS added to SMB.  And it didn't gain them anything either.

I think you missed the point. You're thinking about something else (because 
MS likes to fixate on one technology and apply it everywhere -- that's why 
directories on your hard drive look like web pages).

Your LANMAN Password hash (which is created by DES encrypting a fixed 
string, 'address@hidden' with your password) is not sent in the clear over the 
network.

The server sends a challenge to the client. The client uses the LANMAN 
password hash to encrypt the challenge string, then sends the result back 
to the server as the response. No part of the password (or its hash) is 
sent over the wire in the clear. Compare that with pserver, which simply 
sends an reversibly encoded form of the password over.


--
Stevie-O

Real programmers use COPY CON PROGRAM.EXE