Print bad passwords feature request?
Ted Cabeen
ted at impulse.net
Tue Jan 14 12:51:37 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message <Pine.LNX.4.52L-030.0301141043300.22698 at gobo-2.andrew.cmu.edu>, Rob
Siemborski writes:
>On Mon, 13 Jan 2003, Ted Cabeen wrote:
>> Would it be possible to add an option that makes cyrus print bad passwords in
>> the log file? I know that there is a slight security issue with revealing
>> the incorrect passwords that users attempt to use, but doing telephone Tech
>> Support without it is difficult.
>>
>> I have a patch that does this, but it doesn't make it into a settable option.
>
>No, it isn't possible. Atleast not generally.
>
>For example, you can't extract passwords from DIGEST-MD5 and CRAM-MD5 SASL
>mechanisms, and the concept doesn't even make sense with the Kerberos
>mechanisms.
Duh. Of course.
>If you're only worried about the plaintext mechanisms, the right place to
>put this is in sasl_checkpass (in libsasl).
Good thought. I'll look there.
- --
Ted Cabeen http://www.pobox.com/~secabeen ted at impulse.net
Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen at pobox.com
"I have taken all knowledge to be my province." -F. Bacon secabeen at cabeen.org
"Human kind cannot bear very much reality."-T.S.Eliot cabeen at netcom.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE+JE4poayJfLoDSdIRAv90AKCcFHGoivzWHCWqHppfpZHk6B13DgCgsndo
DTEmNP2+ThCN+M1pQOooL20=
=Wr1r
-----END PGP SIGNATURE-----
More information about the Info-cyrus
mailing list