tech-userlevel: Re: cvs commit: src/lib/libc/db/hash hash

Subject: Re: cvs commit: src/lib/libc/db/hash hash_buf.c
To: Joe Greco <jgreco@brasil.moneng.mei.com>
From: Bill Sommerfeld <sommerfeld@orchard.medford.ma.us>
List: tech-userlevel
Date: 10/18/1996 10:31:45

This whole thread is silly.

The data in question (encrypted passwords) is stored in a certain file
which is mode 0600 owned by root.

It makes no sense to go to extreme measures to make it more protected
than that, especially since (in this case) the FTP server presumably
just received the (infinitely more dangerous) *plaintext* password in
the clear over the net.  It's probably still lurking about in the
stdio buffers...

Now, if you're using ftp with s/key or kerberos, maybe ftpd should be
fixed so that it only tries to fetch the unexpurgated passwd entry if
a plaintext password is sent..

					- Bill