To be a new DFly commiter

Joerg Sonnenberger joerg at britannica.bec.de
Fri Mar 16 09:49:38 PDT 2007


On Fri, Mar 16, 2007 at 05:17:43PM +0100, Grzegorz B?ach wrote:
> a) chg default password_format do blowfish since there are known
> algoritm of collision for md5.

IMO the MD5 collision attacks for overrated and might not even apply in
this area as this is multi-round procesising.

> c) add support for openwall tcb - the alternative to shadow (with pam
> module) which is more secure than pam_unix and pam_pwdb, because tools
> like 'passwd' or 'chage' don't neet SUID, instead it use SGID 'shadow'.
> Group 'auth' may be used to read-only access to all password hashes.

HAHA. This is a good one. It is more secure to not run tools which
manipulate the password db as root? If I can control any of this tools
to execute code with sgid shadow, I can just manipulate the root record
anyway. Sorry to be harsh.

> 2.
> a) Replace sendmail with postfix (with cyrus-sasl). It is faster and use
> cleaner config file.

. ..and cyrs-sasl is a complete mess. Please read the archive on this.

> b) Add imap-uw as simple pop3 and imap4 daemon.A
> c) Add stunnel for SSL/TLS access to mail-related daemon.

Objected. Not essential, you can easily install them from pkgsrc or
other means.

Joerg





More information about the Users mailing list