Dave J Woolley wrote:
> > shadowed password information to a file readable by Squid.
> >
> In which case you have completely defeated the purpose
> of the shadow passwords.
Not entirely, but yes. If you look carefully in the example I provided,
the file is readable to squid and only squid, so in order to get
anywhere a attacker has to probe Squid for passwords instead of take the
shadow file and run crack offline somewhere. A probing attack is much
more likely to be detected than a silent download of the encrypted
passwords.
/Henrik
Received on Tue May 25 1999 - 14:30:31 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:25 MST