Path: utzoo!attcan!uunet!husc6!uwvax!tank!mimsy!chris From: chris@mimsy.UUCP (Chris Torek) Newsgroups: comp.unix.wizards Subject: Re: /etc/shadow Message-ID: <14594@mimsy.UUCP> Date: 17 Nov 88 19:00:51 GMT References: <17568@adm.BRL.MIL> Organization: U of Maryland, Dept. of Computer Science, Coll. Pk., MD 20742 Lines: 25 >>Doug Gwyn >>In the above, probably it would be safest to use the encrypted form >>of a trial password instead of plaintext. It bothers me that some >>network protocols send unencrypted passwords over the network. In article <17568@adm.BRL.MIL> rbj@nav.icst.nbs.gov (Root Boy Jim) writes: >Perhaps I don't understand the problem fully, but it seems to me that >I could just write a client that sends, say, the login name and the >encrypted password (which I got from reading the password file) over >the net and masquerade as a legitimate host. The trick is to encrypt the trial password with a different key. The authentication server sends the client a new key, which has been encrypted with the client's private key; the client decrypts the string using its private key to obtain the temporary key. The client then uses the temporary key to encrypt the trial password, and sends that to the server; the server decrypts using the temporary key, encrypts using the user's private key, and compares. If those match, the authentication server believes that the client is acting on behalf of the user. (Clear? :-) ) -- In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163) Domain: chris@mimsy.umd.edu Path: uunet!mimsy!chris