Password in log file
Julien ÉLIE
julien at trigofacile.com
Fri Sep 19 18:37:51 UTC 2008
Hi Brad,
> I just noticed that if I use the -t option when running nnrpd, the log
> file contains the username/password of clients in clear (or "en clair",
> as the French say). Is there any way to suppress the password (or have
> it printed out as ******)?
Patch for INN 2.4:
===================================================================
--- nnrpd.c (révision 7953)
+++ nnrpd.c (copie de travail)
@@ -1295,11 +1295,19 @@
/* line_read guarantees null termination */
memcpy(buff, p, len + 1);
/* Do some input processing, check for blank line. */
- if (Tracing)
- syslog(L_TRACE, "%s < %s", ClientHost, buff);
+ if (buff[0] != '\0')
+ ac = Argify(buff, &av);
+ if (Tracing) {
+ /* Do not log passwords if AUTHINFO PASS is used. */
+ if (ac > 2 && strcasecmp(av[0], "AUTHINFO") == 0
+ && strcasecmp(av[1], "PASS") == 0)
+ syslog(L_TRACE, "%s < %s %s ********", ClientHost,
+ av[0], av[1]);
+ else
+ syslog(L_TRACE, "%s < %s", ClientHost, buff);
+ }
if (buff[0] == '\0')
continue;
- ac = Argify(buff, &av);
break;
}
/* FALLTHROUGH */
For INN 2.5 (snapshots are patched), I also catch AUTHINFO SASL PLAIN
and AUTHINFO SASL EXTERNAL.
Sep 19 20:19:58 news nnrpd[9275]: dinauz.org < authinfo pass ********
Sep 19 20:19:58 news nnrpd[9275]: dinauz.org > 281 Authentication succeeded
Sep 19 20:20:20 news nnrpd[9275]: dinauz.org < authinfo sasl plain ********
Sep 19 20:20:20 news nnrpd[9275]: dinauz.org > 482 bad protocol / cancel
--
Julien ÉLIE
« -- Ils transportent une arme secrète dans un tonneau !
-- La cervoise tiède !!!
-- Non, ça c'est une arme connue. » (Astérix)
More information about the inn-workers
mailing list