Date: Fri, 18 Oct 1996 10:31:45 -0400 From: Bill Sommerfeld <sommerfeld@orchard.medford.ma.us> To: Joe Greco <jgreco@brasil.moneng.mei.com> Cc: gibbs@freefall.freebsd.org (Justin T. Gibbs), karl@mcs.net, jdp@polstra.com, ache@nagual.ru, guido@gvr.win.tue.nl, thorpej@nas.nasa.gov, phk@critter.tfs.com, freebsd-hackers@freebsd.org, tech-userlevel@netbsd.org Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c Message-ID: <199610181431.OAA26180@orchard.medford.ma.us> In-Reply-To: Your message of "Fri, 18 Oct 1996 08:24:48 -0500 (CDT) ." <199610181324.IAA02709@brasil.moneng.mei.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This whole thread is silly. The data in question (encrypted passwords) is stored in a certain file which is mode 0600 owned by root. It makes no sense to go to extreme measures to make it more protected than that, especially since (in this case) the FTP server presumably just received the (infinitely more dangerous) *plaintext* password in the clear over the net. It's probably still lurking about in the stdio buffers... Now, if you're using ftp with s/key or kerberos, maybe ftpd should be fixed so that it only tries to fetch the unexpurgated passwd entry if a plaintext password is sent.. - Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610181431.OAA26180>