Passthough security fix.

Andrew Tridgell tridge at samba.anu.edu.au
Tue Apr 21 01:20:21 GMT 1998


> They send the sessionsetup request *twice* - once
> with the correct password, and once with a password
> of random garbage. If both are accepted then the
> user was guest, if the first was accepted and
> the second rejected then the user was non-guest.

excellent!
 
> Simple, elegant and works with all broken versions
> of NT. Can anyone see any disadvanages ?

there is a minor one. The logs on the NT server will get filled with
messages about a bad password being entered. Hmmm, does NT log those
by default?

Also, you'll need to send the random garbage first, not 2nd. 

Cheers, Andrew


More information about the samba-technical mailing list