OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: SASL for fun and profit
From: Ari Gordon-Schlosberg (regsnebcorp.com)
Date: Tue May 16 2000 - 17:59:58 CDT

[Wietse Venema <wietseporcupine.org>]
> Ari Gordon-Schlosberg:
> > [Wietse Venema <wietseporcupine.org>]
> > > > (5) When using verbose logging (f.i. with $debug_peer_list) the password
> > > > is written to the logs in clear text. Not a huge security issue,
> > > > but still.
> > >
> > > That can't change. The verbose log is for debugging. Having
> > > to run gdb on the running process is too intrusive.
> >
> > Perhaps there should be a warning about this in the SASL documentation.
>
> Oh, come on. Warning, hot water is hot. No-one is supposed to use
> verbose logging unless absolutely necessary.

Fair enough. But in this case, it may be more than just hot water, perhaps
it's live steam. It's not often that passwords show up in system logs.

It's only a suggestion, not a religious belief. It just seems to me that
it's the Unix Way (TM) to never show a password. It's not a holy rule, but
it might make sense to warn people when it's going to be violated, just so
there aren't any nasty surprises later on. 

-- 
Ari							there is no spoon
-------------------------------------------------------------------------
http://www.nebcorp.com/~regs/pgp for PGP public key