From owner-freebsd-security  Sun Feb 16 06:12:48 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id GAA06107
          for security-outgoing; Sun, 16 Feb 1997 06:12:48 -0800 (PST)
Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA06096
          for <security@FreeBSD.ORG>; Sun, 16 Feb 1997 06:12:40 -0800 (PST)
Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33])
          by mexico.brainstorm.eu.org (8.8.4/8.8.4) with ESMTP
	  id PAA12443; Sun, 16 Feb 1997 15:12:30 +0100
Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.8.4/8.6.12) with UUCP id PAA13514; Sun, 16 Feb 1997 15:12:15 +0100
Received: (from pb@localhost) by fasterix.frmug.fr.net (8.7.5/8.7.3-fasterix-960828) id PAA03534; Sun, 16 Feb 1997 15:10:38 +0100 (MET)
Message-ID: <19970216151037.OE63475@@>
Date: Sun, 16 Feb 1997 15:10:37 +0100
From: pb@fasterix.freenix.fr (Pierre Beyssac)
To: rkw@dataplex.net (Richard Wackerbarth)
Cc: phk@critter.dk.tfs.com (Poul-Henning Kamp), security@FreeBSD.ORG
Subject: Re: changing password...
References: <m0vvvPU-0008zXC@agora.rdrop.com> <l03010d09af2c28477b2a@[208.2.87.3]>
X-Mailer: Mutt 0.59.1e
Mime-Version: 1.0
In-Reply-To: <l03010d09af2c28477b2a@[208.2.87.3]>; from Richard Wackerbarth on Feb 15, 1997 21:03:53 -0600
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Richard Wackerbarth writes:
> This proposal would allow it.
> 
> login: my_name
> passwd: Clear_text_1
> 
> passwd -c $n$Hash_of_Clear_text_2$
> 
> [real work here]
> logoff

It shouldn't be that simple. You have to request the old password
first, or...:

passwd -c $n$Hash_of_Clear_text_2$
[real work here]
[coffee break]
passwd -c $n$Hash_of_something_else_by_somebody_else$
[end coffee break]
[real work here]
logoff

You've just been stolen your account.

This pretty much defeats the whole interest of -c, which is to
allow a portable way to change the encrypted password.
-- 
Pierre Beyssac	    pb@fasterix.frmug.fr.net pb@fasterix.freenix.fr
{Free,Net,Open}BSD, Linux : il y a moins bien, mais c'est plus cher
    Free domains: http://www.eu.org/ or mail dns-manager@EU.org