Passwd change security (was CVS update: samba/source)

[Jeremy Allison]

David Collier-Brown wrote:

>         While I think this is good/sane/advisable, I should
>         mention that this makes the password slightly
>         weaker than it would be on standard unix.
> 
>         The normal passwd program asks for the old
>         password to make sure someone hasn't sat
>         down at my machine while I'm logged on
>         to bug me by changing my password. This
>         prevents a denial-of-service attack.
> 

You misunderstood me. The only way a normal user
can send a password change request using the new
client/server protocol is if they entered the
old password correctly as well (otherwise the
new password won't decrypt properly at the
server and, as the hash of the new password
is used to decrypt the hash of the old password,
which is also sent and checked then the old
password has to be correct, if you get my
meaning).

> Anyone know if WfW and NT < 4 do it correctly?
> Indeed, anyone know if 95/NT4 are really correct?
 
Yep they are.

I'm talking about calling the local UNIX passwd
program as root *after* the old SMB password hash
supplied in the password change protocol has already
been verified to be correct. Thus, if the intent is 
that UNIX passwords follow the SMB passwords, then
using the root feature of passwd to change the 
UNIX password to the new SMB password is allowable.

Jeremy.

-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------