[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security

From: Stevie O
Subject: Re: Security
Date: Mon, 17 Sep 2001 00:58:34 -0400

At 09:28 PM 9/16/2001 -0700, you wrote:
On Sun, Sep 16, 2001 at 08:37:26PM -0400, Stevie O wrote:
> The method I suggestion is no stronger than pserver is; it simply makes it
> harder for someone to sniff the password off the network (which is

Harder how?

I don't have to decrypt your DES encrypted password.

My password isn't DES encrypted. I think you need to re-read the post.

I just have to use my hacked cvs client to take your DES encrypted password
from the command line and use it directly.

No, you don't. You don't know my password.

It gains nothing.

This is what MS added to SMB.  And it didn't gain them anything either.

I think you missed the point. You're thinking about something else (because MS likes to fixate on one technology and apply it everywhere -- that's why directories on your hard drive look like web pages).

Your LANMAN Password hash (which is created by DES encrypting a fixed string, 'address@hidden' with your password) is not sent in the clear over the network.

The server sends a challenge to the client. The client uses the LANMAN password hash to encrypt the challenge string, then sends the result back to the server as the response. No part of the password (or its hash) is sent over the wire in the clear. Compare that with pserver, which simply sends an reversibly encoded form of the password over.


Real programmers use COPY CON PROGRAM.EXE

reply via email to

[Prev in Thread] Current Thread [Next in Thread]