Password in log file
Julien ÉLIE
julien at trigofacile.com
Thu Aug 14 19:12:50 UTC 2008
Hi Brad,
> I just noticed that if I use the -t option when running nnrpd, the log
> file contains the username/password of clients in clear
Maybe we should add to the documentation of "ctlinnd trace" and "nnrpd -t"
a note, saying that everything is logged as-is. It is exactly what the
news server receive and send. Especially passwords sent in clear will
appear in the log file.
By the way, perhaps we should then encourage people to use SASL identifications?
I see:
201 news.trigofacile.com InterNetNews NNRP server INN 2.5.0 (20080629 prerelease) ready (no posting).
AUTHINFO SASL DIGEST-MD5
383 bm9uY2U9ImJRYTN6R0RJaU42Y090dHZwQnZMRityOStEZ2dJNy8zanJDY08zSGdnNEk9IixyZWFsbT0ibmV3cy50cml
[...]
I have not tested that (neither do I know which news readers support it);
I believe the password is not sent in clear but encrypted, is it?
> (or "en clair", as the French say)
Yes :)
--
Julien ÉLIE
« La mathématique est une science dangereuse :
elle dévoile les supercheries et les erreurs de calcul. » (Galilée)
More information about the inn-workers
mailing list