Subject: install/11436: sysinst: ftp password not handled 'securely'
To: None <firstname.lastname@example.org>
From: None <email@example.com>
Date: 11/07/2000 02:51:11
>Synopsis: sysinst: ftp password not handled 'securely'
>Arrival-Date: Tue Nov 07 02:51:00 PST 2000
>Release: 1.5-current as of 2000-11-07
Thomas Klausner - firstname.lastname@example.org
System: NetBSD hiro 1.5H NetBSD 1.5H (HIRO) #0: Sun Oct 29 12:24:19 CET 2000 wiz@hiro:/archive/cvs/src/sys-i4b/arch/i386/compile/HIRO i386
I tried getting the NetBSD distfiles to install from two server,
because the first one didn't have all files; on the first one I had
logged in via user/pass, the second one was anonymous ftp.
When I changed the username from 'user' to ftp, the previuously '***
hidden ***' password was written on the screen in plaintext.
Enter username, password, see that password is '*** hidden ***'.
Change user to 'ftp', see password.
I guess the best fix is to reset the password when the user is
changed from non-'ftp' to 'ftp'.
None provided, though.