Password in log file

Julien ÉLIE julien at
Thu Aug 14 19:12:50 UTC 2008

Hi Brad,

> I just noticed that if I use the -t option when running nnrpd, the log
> file contains the username/password of clients in clear

Maybe we should add to the documentation of "ctlinnd trace" and "nnrpd -t"
a note, saying that everything is logged as-is.  It is exactly what the
news server receive and send.  Especially passwords sent in clear will
appear in the log file.

By the way, perhaps we should then encourage people to use SASL identifications?
I see:

201 InterNetNews NNRP server INN 2.5.0 (20080629 prerelease) ready (no posting).
383 bm9uY2U9ImJRYTN6R0RJaU42Y090dHZwQnZMRityOStEZ2dJNy8zanJDY08zSGdnNEk9IixyZWFsbT0ibmV3cy50cml

I have not tested that (neither do I know which news readers support it);
I believe the password is not sent in clear but encrypted, is it?

> (or "en clair", as the French say)

Yes :)

Julien ÉLIE

« La mathématique est une science dangereuse :
  elle dévoile les supercheries et les erreurs de calcul. » (Galilée)

More information about the inn-workers mailing list