Password in log file
julien at trigofacile.com
Thu Aug 14 19:12:50 UTC 2008
> I just noticed that if I use the -t option when running nnrpd, the log
> file contains the username/password of clients in clear
Maybe we should add to the documentation of "ctlinnd trace" and "nnrpd -t"
a note, saying that everything is logged as-is. It is exactly what the
news server receive and send. Especially passwords sent in clear will
appear in the log file.
By the way, perhaps we should then encourage people to use SASL identifications?
201 news.trigofacile.com InterNetNews NNRP server INN 2.5.0 (20080629 prerelease) ready (no posting).
AUTHINFO SASL DIGEST-MD5
I have not tested that (neither do I know which news readers support it);
I believe the password is not sent in clear but encrypted, is it?
> (or "en clair", as the French say)
« La mathématique est une science dangereuse :
elle dévoile les supercheries et les erreurs de calcul. » (Galilée)
More information about the inn-workers