Re: Password auth / shadow passwd file...

From: Henrik Nordstrom <[email protected]>
Date: Tue, 25 May 1999 20:36:18 +0000

Dave J Woolley wrote:

> > shadowed password information to a file readable by Squid.
> >
> In which case you have completely defeated the purpose
> of the shadow passwords.

Not entirely, but yes. If you look carefully in the example I provided,
the file is readable to squid and only squid, so in order to get
anywhere a attacker has to probe Squid for passwords instead of take the
shadow file and run crack offline somewhere. A probing attack is much
more likely to be detected than a silent download of the encrypted
passwords.

/Henrik
Received on Tue May 25 1999 - 14:30:31 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:25 MST