Subject: install/11436: sysinst: ftp password not handled 'securely'
To: None <>
From: None <>
List: netbsd-bugs
Date: 11/07/2000 02:51:11
>Number:         11436
>Category:       install
>Synopsis:       sysinst: ftp password not handled 'securely'
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    install-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Nov 07 02:51:00 PST 2000
>Originator:     Wiz
>Release:        1.5-current as of 2000-11-07
Thomas Klausner -
System: NetBSD hiro 1.5H NetBSD 1.5H (HIRO) #0: Sun Oct 29 12:24:19 CET 2000 wiz@hiro:/archive/cvs/src/sys-i4b/arch/i386/compile/HIRO i386
I tried getting the NetBSD distfiles to install from two server,
because the first one didn't have all files; on the first one I had
logged in via user/pass, the second one was anonymous ftp.

When I changed the username from 'user' to ftp, the previuously '***
hidden ***' password was written on the screen in plaintext.
Enter username, password, see that password is '*** hidden ***'.
Change user to 'ftp', see password.
I guess the best fix is to reset the password when the user is
changed from non-'ftp' to 'ftp'.

None provided, though.