Print bad passwords feature request?

Rob Siemborski rjs3 at andrew.cmu.edu
Tue Jan 14 10:45:26 EST 2003


On Mon, 13 Jan 2003, Ted Cabeen wrote:

> Would it be possible to add an option that makes cyrus print bad passwords in
> the log file?  I know that there is a slight security issue with revealing
> the incorrect passwords that users attempt to use, but doing telephone Tech
> Support without it is difficult.
>
> I have a patch that does this, but it doesn't make it into a settable option.

No, it isn't possible.  Atleast not generally.

For example, you can't extract passwords from DIGEST-MD5 and CRAM-MD5 SASL
mechanisms, and the concept doesn't even make sense with the Kerberos
mechanisms.

If you're only worried about the plaintext mechanisms, the right place to
put this is in sasl_checkpass (in libsasl).

I don't expect we'd take the patch though since its likely to be more
confusing than not.

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper





More information about the Info-cyrus mailing list