Date: Sun, 16 Feb 1997 15:10:37 +0100 From: pb@fasterix.freenix.fr (Pierre Beyssac) To: rkw@dataplex.net (Richard Wackerbarth) Cc: phk@critter.dk.tfs.com (Poul-Henning Kamp), security@FreeBSD.ORG Subject: Re: changing password... Message-ID: <19970216151037.OE63475@@> In-Reply-To: <l03010d09af2c28477b2a@[208.2.87.3]>; from Richard Wackerbarth on Feb 15, 1997 21:03:53 -0600 References: <m0vvvPU-0008zXC@agora.rdrop.com> <l03010d09af2c28477b2a@[208.2.87.3]>
next in thread | previous in thread | raw e-mail | index | archive | help
Richard Wackerbarth writes:
> This proposal would allow it.
>
> login: my_name
> passwd: Clear_text_1
>
> passwd -c $n$Hash_of_Clear_text_2$
>
> [real work here]
> logoff
It shouldn't be that simple. You have to request the old password
first, or...:
passwd -c $n$Hash_of_Clear_text_2$
[real work here]
[coffee break]
passwd -c $n$Hash_of_something_else_by_somebody_else$
[end coffee break]
[real work here]
logoff
You've just been stolen your account.
This pretty much defeats the whole interest of -c, which is to
allow a portable way to change the encrypted password.
--
Pierre Beyssac pb@fasterix.frmug.fr.net pb@fasterix.freenix.fr
{Free,Net,Open}BSD, Linux : il y a moins bien, mais c'est plus cher
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970216151037.OE63475>