Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords

From: Michael Osten (mosten_at_bleepyou.com)
Date: 06/03/03

  • Next message: BrentO_at_wolverton.ca: "[Full-Disclosure] morning_wood" 
    To: "IRCXpro Support" <support@ircxpro.com>
Date: Tue, 3 Jun 2003 11:28:32 -0500

    > The reason why IRC servers "IRCD.config" files don't use encryption (see
    > file attachment for example) is because 49 times out of 50 they do not
    come
    > with a GUI program. Administrators main method of changing the
    > configuration is to manually edit the file using a notepad utility.

    It has nothing to do with having a GUI or not. You obviously have no
    concept of Unix permissions, so using a unix analogy should be avoided in
    the future. The config file that you speak of would be set to only be
    readable and/or writable the user running the daemon. Even the existance of
    that password in the config file woud lend it self a bad design as every
    application in (linux at least) can have hooks to PAM and use the same
    encrypted password. If the password *was* in the config file, to read this
    file, you would need that users priviledges, or priviledges greater than
    that user. If you have either, crypting the password would be a bit
    pointless (not to say that people don't do it).

    I'm not even going to touch the "notepad utility" comment.

    > Overuse in the use of encrypted passwords can be counter productive to
    > functionality.
    > There are good reasons to keep passwords clear text passwords to better
    > interface with other software.
    > For example Merak Mail server software
    > (http://www.icewarp.com/Products/Merak_Email_Server_Software/)
    > When using this mail server, it can store the accounts on an SQL Server.
    > The passwords are stored clear text. This enables other software to
    > interface with its data to create and sync its accounts/passwords with
    other
    > systems.

    No, No, No. Bad design, stupid design. I've never heard of your or "Merak
    Mail" software, but thanks for pointing them out. I can avoid both steaming
    piles of crap.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: BrentO_at_wolverton.ca: "[Full-Disclosure] morning_wood"

    Relevant Pages

    • Re: [Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords
      ... >> with a GUI program. ... The config file that you speak of would be set to only be ... > file, you would need that users priviledges, or priviledges greater than ... file permission concepts beyond "read-only/archive" bits. ...
      (Full-Disclosure)
    • Re: [SLE] Stopping open mail relay in SuSE standard server.
      ... >>I'm trying to set up a mail server for a small company. ... >>the O'Reilly Postfix book, it is already configured to not relay, ... > A book can't read your current config. ... > the mail log should be sufficient to verify whether it's an open relay ...
      (SuSE)
    • Re: Just started seeing "stat=Local configuration error" in maillog
      ... >has an MX record pointing to my mail server. ... that if you are the primary MX for a domain, your config should specify ... in the FAQ entry again... ...
      (comp.mail.sendmail)
    • Re: Honesty about some exim mistakes
      ... stuck with the task and I need an enterprise-size mail server. ... server mgmt for web hosting. ... otherwise easy to read config. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
      (Debian-User)
    • Re: Sendmail question
      ... config a secondary one, but perhaps it will permit you config it. ... Asunto: Sendmail question ... configure a secondary mail server in case the primary mail server is down. ... If you wish to confirm the origin or content of this communication, ...
      (AIX-L)