Path: utzoo!attcan!uunet!seismo!sundc!pitstop!sun!amdcad!ames!nrl-cmf!cmcl2!adm!xadmx!rbj@nav.icst.nbs.gov
From: rbj@nav.icst.nbs.gov (Root Boy Jim)
Newsgroups: comp.unix.wizards
Subject: /etc/shadow
Message-ID: <17568@adm.BRL.MIL>
Date: 17 Nov 88 15:52:51 GMT
Sender: news@adm.BRL.MIL
Lines: 16

? From: Doug Gwyn  <gwyn@smoke.brl.mil>

? In the above, probably it would be safest to use the encrypted form
? of a trial password instead of plaintext.  It bothers me that some
? network protocols send unencrypted passwords over the network.

Perhaps I don't understand the problem fully, but it seems to me that
I could just write a client that sends, say, the login name and the
encrypted password (which I got from reading the password file) over
the net and masquerade as a legitimate host. Unless you send the plaintext
password over the net, you preclude the server from checking the validity
itself. And you force all encryption algorithms to be the same.

	(Root Boy) Jim Cottrell	(301) 975-5688
	<rbj@nav.icst.nbs.gov> or <rbj@icst-cmr.arpa>
	Crackers and Works -- Breakfast of Champions!