>Number:         11436
>Category:       install
>Synopsis:       sysinst: ftp password not handled 'securely'
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    install-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Nov 07 02:51:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Wiz
>Release:        1.5-current as of 2000-11-07
>Organization:
Thomas Klausner - wiz@danbala.tuwien.ac.at
>Environment:
	
System: NetBSD hiro 1.5H NetBSD 1.5H (HIRO) #0: Sun Oct 29 12:24:19 CET 2000 wiz@hiro:/archive/cvs/src/sys-i4b/arch/i386/compile/HIRO i386
>Description:
I tried getting the NetBSD distfiles to install from two server,
because the first one didn't have all files; on the first one I had
logged in via user/pass, the second one was anonymous ftp.

When I changed the username from 'user' to ftp, the previuously '***
hidden ***' password was written on the screen in plaintext.
>How-To-Repeat:
Enter username, password, see that password is '*** hidden ***'.
Change user to 'ftp', see password.
>Fix:
I guess the best fix is to reset the password when the user is
changed from non-'ftp' to 'ftp'.

None provided, though.
>Release-Note:
>Audit-Trail:
>Unformatted: