Question about password encryption


#1

hi,

maybe i missed an important note in the installation/mysql docs
but the passwords of the users are stored plain text in my
database (yeah, yeah, it’s a binary file but try less ;)).
pls enlighten me :).

thanks
Othmar


#2

Known deficiency in rt 1.0. That binary file is only readable by root.
and the passwords are sent in cleartext over http. it’s all quite suboptimal.
rt2 will be better about this.On Wed, Aug 23, 2000 at 07:02:16PM +0200, Othmar Pasteka wrote:

hi,

maybe i missed an important note in the installation/mysql docs
but the passwords of the users are stored plain text in my
database (yeah, yeah, it’s a binary file but try less ;)).
pls enlighten me :).

thanks
Othmar


rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

jesse reed vincent — root@eruditorum.orgjesse@fsck.com
pgp keyprint: 50 41 9C 03 D0 BC BC C8 2C B9 77 26 6F E1 EB 91
Gur SOV jnagf gb znxr guvf fvt vyyrtny.


#3

It’s an easy fix that I have sent in a couple of times a long while back (early
last year, and late the year before), but it never got implemented for some
reason…

-Rich

Jesse wrote:


#4

well, suboptimal (sending passwords in plaintext over http) but one workaround we
use is to install RT on an https server. it doesn’t protect the plaintext
passwords in the database any more but with some standard system hardening it’s
better than nothing.

Jesse wrote:


#5

The problem is that all the patches I’ve seen would break existing
installs. which we can’t do for 1.0.x (But will happen for 2.0, though there will be an upgrade tool.)

    -jesseOn Wed, Aug 23, 2000 at 02:11:12PM -0400, Richard West wrote:

It’s an easy fix that I have sent in a couple of times a long while back (early
last year, and late the year before), but it never got implemented for some
reason…

-Rich

Jesse wrote:

Known deficiency in rt 1.0. That binary file is only readable by root.
and the passwords are sent in cleartext over http. it’s all quite suboptimal.
rt2 will be better about this.

On Wed, Aug 23, 2000 at 07:02:16PM +0200, Othmar Pasteka wrote:

hi,

maybe i missed an important note in the installation/mysql docs
but the passwords of the users are stored plain text in my
database (yeah, yeah, it’s a binary file but try less ;)).
pls enlighten me :).

thanks
Othmar

jesse reed vincent — root@eruditorum.orgjesse@fsck.com
pgp keyprint: 50 41 9C 03 D0 BC BC C8 2C B9 77 26 6F E1 EB 91
As I sit here alone looking at green text on a laptop in a mostly bare room listening
to loud music wearing all black, I realize that that it is much less cool in real life :slight_smile:
–Richard Tibbets