BIND 10 #2716: password in ~/.bind10/default_user.csv is cleartext
BIND 10 Development
do-not-reply at isc.org
Sun Feb 17 06:56:43 UTC 2013
#2716: password in ~/.bind10/default_user.csv is cleartext
-------------------------------------+-------------------------------------
Reporter: cas | Owner:
Type: defect | Status: new
Priority: medium | Milestone: Next-
Component: Unclassified | Sprint-Proposed
Keywords: | Resolution:
Sensitive: 0 | CVSS Scoring:
Sub-Project: DNS | Defect Severity: N/A
Estimated Difficulty: 0 | Feature Depending on Ticket:
Total Hours: 0 | Add Hours to Ticket: 0
| Internal?: 0
-------------------------------------+-------------------------------------
Comment (by muks):
I proposed the Apache htdigest format for the `cmdctl-accounts.csv` file
(server-side), as it's used for exactly the same purpose (authentication
credentials for HTTP digest) and the htdigest tool can also be used in
that case if necessary if it follows the same format.
We'd have to store `~/.bind10/default_user.csv` in cleartext, or something
that can be converted back to clear text on the client-side to answer the
server for HTTP digest authentication.
I agree that it should not be written in plain clear text as it is now,
but stored enciphered with a nonce key (also stored alongside).
--
Ticket URL: <http://bind10.isc.org/ticket/2716#comment:2>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list