I didn't bother to do this, because even if they were encrypted, they'd be reversable. Not to mention the password can be seen in the program's memory image. It would slow any malicious attacker down, but certainly wouldn't prevent the password from being lifted. That's why there's an nss-user password which doesn't have access to all the user passwords inside the database, and another nss-root password which *does*, but lives in a file that only root can read.
You may realize all this, too .. in which case, I can say that I'll probably implement it at some point because it *helps* .. but since it's not exactly a gaping security hole, I'm not focusing on it now.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I guess this is more a feature request. But It would be nice to have the passwords not in plain text in the config files.
Keith
I didn't bother to do this, because even if they were encrypted, they'd be reversable. Not to mention the password can be seen in the program's memory image. It would slow any malicious attacker down, but certainly wouldn't prevent the password from being lifted. That's why there's an nss-user password which doesn't have access to all the user passwords inside the database, and another nss-root password which *does*, but lives in a file that only root can read.
You may realize all this, too .. in which case, I can say that I'll probably implement it at some point because it *helps* .. but since it's not exactly a gaping security hole, I'm not focusing on it now.