Password in log file
Julien ÉLIE
julien at trigofacile.com
Fri Sep 19 18:25:28 UTC 2008
Hi Russ,
>> 201 news.trigofacile.com InterNetNews NNRP server INN 2.5.0 (20080629 prerelease) ready (no posting).
>> AUTHINFO SASL DIGEST-MD5
>> 383 bm9uY2U9ImJRYTN6R0RJaU42Y090dHZwQnZMRityOStEZ2dJNy8zanJDY08zSGdnNEk9IixyZWFsbT0ibmV3cy50cml
>> [...]
>>
>> I have not tested that (neither do I know which news readers support
>> it); I believe the password is not sent in clear but encrypted, is it?
>
> It's a challenge-response protocol that I think does have replay
> protection, yes. It shouldn't matter if that were exposed. But it's
> going to be very hard to find clients that support it still.
Besides, challenge-response exchanges are not logged by nnrpd (communication
is done via an external function for AUTHINFO SASL and STARTTLS).
> We probably should modify the trace code to suppress passwords, although I
> don't know how hard that would be. It might be a bit tricky.
Done. And committed to CURRENT.
--
Julien ÉLIE
« -- Ils transportent une arme secrète dans un tonneau !
-- La cervoise tiède !!!
-- Non, ça c'est une arme connue. » (Astérix)
More information about the inn-workers
mailing list