Mailinglist Archive: opensuse-security (570 mails)
| < Previous | Next > |
Re: [suse-security] SOLVED Plaintext passwords IMAP please!
- From: "Carl Peto" <carl@xxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 14 Jan 2004 16:59:21 -0000
- Message-id: <003b01c3dabf$c180d380$0c00a8c0@xxxxxxxxxxxxxxxxxxxxxxx>
Thank you so much Peter!
This worked. I thought it was unlike SuSE to leave a way out of this.
I grepped for "I accept the risk" in the package documentation - nothing.
Grepped for "disable-plaintext", found it in imaprc, which describes the
c-client.cf file... however very little detail given and it said that the
default is already 0! Some slightly improved documentation - e.g. a note in
the README.SuSE would be helpful here.
David Fetter - with regard to your comments, yes I agree that it's fine to
change defaults on packages. I was concerned that as a responsible IT
professional that has carefully weighed up the security implications I
couldn't undo this without recompiling the package. In our case we are a
small company and anyway clients are using Outlook Express connecting using
plain text/pop3 to our ISP anyway!
----- Original Message -----
From: "Peter Hinterseer" <iceman@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Wednesday, January 14, 2004 4:07 PM
Subject: Re: [suse-security] Plaintext passwords IMAP please!
> -- snipped a lot of "I tried..." and "...didn't work" --
>
> > Really it's such a simple thing I want to do!
> >
> > Can anyone help?
>
> This is really not so hard to solve. SuSE's imap-2002 package released
with
> 8.2 and 9.0 has to
> be explicitly enabled to accept plaintext passwords. Some file in the
> documentation mentions that. It also warns of the risks. But if all
machines
> using this IMAP server are as you told us behind a firewall, this should
be
> OK.
>
> It is easily done by creating a file '/etc/c-client.cf' with the following
> content:
>
> --
> I accept the risk
>
> set disable-plaintext 0
> --
>
> WIthout the '--' of course... ;-)
>
> Note the part about the risk, they must be really paranoid about those
> plaintext passwords.
>
> Have fun,
>
> Peter.-)
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
This worked. I thought it was unlike SuSE to leave a way out of this.
I grepped for "I accept the risk" in the package documentation - nothing.
Grepped for "disable-plaintext", found it in imaprc, which describes the
c-client.cf file... however very little detail given and it said that the
default is already 0! Some slightly improved documentation - e.g. a note in
the README.SuSE would be helpful here.
David Fetter - with regard to your comments, yes I agree that it's fine to
change defaults on packages. I was concerned that as a responsible IT
professional that has carefully weighed up the security implications I
couldn't undo this without recompiling the package. In our case we are a
small company and anyway clients are using Outlook Express connecting using
plain text/pop3 to our ISP anyway!
----- Original Message -----
From: "Peter Hinterseer" <iceman@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Wednesday, January 14, 2004 4:07 PM
Subject: Re: [suse-security] Plaintext passwords IMAP please!
> -- snipped a lot of "I tried..." and "...didn't work" --
>
> > Really it's such a simple thing I want to do!
> >
> > Can anyone help?
>
> This is really not so hard to solve. SuSE's imap-2002 package released
with
> 8.2 and 9.0 has to
> be explicitly enabled to accept plaintext passwords. Some file in the
> documentation mentions that. It also warns of the risks. But if all
machines
> using this IMAP server are as you told us behind a firewall, this should
be
> OK.
>
> It is easily done by creating a file '/etc/c-client.cf' with the following
> content:
>
> --
> I accept the risk
>
> set disable-plaintext 0
> --
>
> WIthout the '--' of course... ;-)
>
> Note the part about the risk, they must be really paranoid about those
> plaintext passwords.
>
> Have fun,
>
> Peter.-)
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
| < Previous | Next > |