Password in log file

Russ Allbery rra at
Thu Aug 14 19:44:57 UTC 2008

Julien ÉLIE <julien at> writes:

> By the way, perhaps we should then encourage people to use SASL
> identifications?  I see:
> 201 InterNetNews NNRP server INN 2.5.0 (20080629 prerelease) ready (no posting).
> 383 bm9uY2U9ImJRYTN6R0RJaU42Y090dHZwQnZMRityOStEZ2dJNy8zanJDY08zSGdnNEk9IixyZWFsbT0ibmV3cy50cml
> [...]
> I have not tested that (neither do I know which news readers support
> it); I believe the password is not sent in clear but encrypted, is it?

It's a challenge-response protocol that I think does have replay
protection, yes.  It shouldn't matter if that were exposed.  But it's
going to be very hard to find clients that support it still.

We probably should modify the trace code to suppress passwords, although I
don't know how hard that would be.  It might be a bit tricky.

Russ Allbery (rra at             <>

    Please send questions to the list rather than mailing me directly.
     <> explains why.

More information about the inn-workers mailing list