Re: webmail server & getpwnam "inherently unreliable" -- Precisely why is that?
From: Admin (admin@linnix.com)Date: 03/11/02
- Previous message: andi smart: "pgp and kmail (x post from c.s.pgp.tech)"
- In reply to: Nico Kadel-Garcia: "Re: webmail server & getpwnam "inherently unreliable" -- Precisely why is that?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: admin@linnix.com (Admin) Date: 11 Mar 2002 11:10:02 -0800
"Nico Kadel-Garcia" <nkadel@bellatlantic.net> wrote in message news:<S83j8.1245$vH1.126@nwrddc01.gnilink.net>...
> "gaius.petronius" <rut@linuxmail.org> wrote in message
> news:188cd7b2.0203102144.32642664@posting.google.com...
> > cross-posted because it basically touches on 2 aspects of the password
> > issue on a webmail server, the code to check the passwd, and the
> > system itself.
> >
> > quote from http://cr.yp.to/checkpwd/interface.html
> >
> > "WARNING: getpwnam is inherently unreliable. It fails to distinguish
> > between temporary errors and nonexistent users. Future versions of
> > getpwnam should return ETXTBSY to indicate temporary errors and ESRCH
> > to indicate nonexistent users."
Have your own wrapper modules to call getpwnam? I do checking in my
own
getpwname before and after calling getpwnam.
> >
> > Precisely why is the getpwnam library function(?) "inherently
> > unreliable"?
Because mail program authors abuse the functionality.
> >
> > The background to all this is that the management types have requested
> > a "webmail" server which has the same look and feel of a hotmail,
> > yahoo, et cetera.
Easily enough, just forward their mail to hotmail and yahoo. In fact,
that's
what many of our user does, forward to hotmail and yahoo while on the
road.
Disconnect forwarding while on site.
> >
> > i at least got what i asked for in order to implement this: a separate
> > server which i plan to alias usernames from the original server (step
> > 1), and then use programs like checkpwd.
> >
> > but in the end the machine is still using the same old smtp plain text
> > login, so i don't really see the point and don't see how i can ensure
> > security against a cracker sniffing what he knows to be the first N
> > number of packets in a POP or IMAP exchange.
>
> *INSIST* on SSL use to prevent this.
>
> > am i right or wrong about the uselessness of trying to strengthen the
> > password login aspect of this machine in face of the fact that they
> > will send plaintext passwords over the internet?
>
> Basically, yes.
>
> > furthermore, the reason why they want a *browser* based email service
> > is so that when they are on the road they can just use the clients'
> > browsers to get their mail. Now correct me if i'm in error here, but
> > isn't that a giant step in the direction of breaking security in
> > itself? that means whatever crackers may be doing at client sites
> > automatically infects this webmail server.
>
No worst than what they can do with regular email or http.
> See above. Explain that this is, in fact a common problem and that crackers
> *love* to break into firewalls to monitor this sort of traffic.
No to mension the system admin of your client reading your email.
Don't forget that they don't report to you or your company.
- Next message: Richard Kimber: "Re: log entry"
- Previous message: andi smart: "pgp and kmail (x post from c.s.pgp.tech)"
- In reply to: Nico Kadel-Garcia: "Re: webmail server & getpwnam "inherently unreliable" -- Precisely why is that?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
