[prev in list] [next in list] [prev in thread] [next in thread]
List: qmail
Subject: RE: Yet Another Mutant Version Of "checkpassword" Is Born
From: "David T. Ashley" <dashley () abi-consulting ! com>
Date: 2005-04-29 23:55:27
Message-ID: COEPIFCCEDOHKMNNDOBOOEKACDAA.dashley () abi-consulting ! com
[Download RAW message or body]
> Thus spake David T. Ashley (dashley@abi-consulting.com):
> > I hacked up Jedi/Sector One's work for my own needs, and it
> > seems to work. It is visible here:
>
> For any of us to care, it would maybe be beneficial if you told us what
> makes your version better/different from other checkpassword
> implementations.
>
> Just a thought.
>
> Felix
Good point.
a)The UID/GID for POP service is hardcoded into the program as a compilation
config (less variability is better and safer).
b)It just uses a plain password file with user-id, password, and maildir
directory (*).
c)It is shorter and simpler (it has some unnecessary stuff removed).
(*)Some would argue that a plain password file is less safe. A number of
points in this direction:
1)crypt, md5, or sha1 are all unsafe unless you have something known only to
the server to use to taint the hash. They all will allow a dictionary
attack. Given today's compute speeds, crypt() is nearly useless.
2)I trust *nix file system security. Having the file readable only by the
daemon of interest is enough for me.
I don't have any objection to _real_ security. However, crypt() ain't it.
Dave.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic