Password in log file

Russ Allbery rra at stanford.edu
Thu Aug 14 19:44:57 UTC 2008


Julien ÉLIE <julien at trigofacile.com> writes:

> By the way, perhaps we should then encourage people to use SASL
> identifications?  I see:
>
> 201 news.trigofacile.com InterNetNews NNRP server INN 2.5.0 (20080629 prerelease) ready (no posting).
> AUTHINFO SASL DIGEST-MD5
> 383 bm9uY2U9ImJRYTN6R0RJaU42Y090dHZwQnZMRityOStEZ2dJNy8zanJDY08zSGdnNEk9IixyZWFsbT0ibmV3cy50cml
> [...]
>
> I have not tested that (neither do I know which news readers support
> it); I believe the password is not sent in clear but encrypted, is it?

It's a challenge-response protocol that I think does have replay
protection, yes.  It shouldn't matter if that were exposed.  But it's
going to be very hard to find clients that support it still.

We probably should modify the trace code to suppress passwords, although I
don't know how hard that would be.  It might be a bit tricky.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list