Re: [MRBS-general] authentication and password storage
Brought to you by:
jberanek
From: Peter K. <p....@au...> - 2010-04-29 20:45:07
|
On 30/04/2010, at 2:18 AM, Piers Barber wrote: > can i quickly check that user passwords aren't stored ANYWHERE in plain text form? > Disclaimer: I'm not running the latest version, but when you're setup to authenticate via LDAP user passwords are never stored on the MRBS machine, unless it is also the LDAP server. Then it's a question of whose LDAP and how that works. config.inc.php always contained in plaintext passwords for: a mrbs Administrator, for initial setup & emergency recovery purposes; and the mysql database root. There is a para. on Security way down the bottom of INSTALL in the initial unpacking of the tarball, which includes this line as recommended: # chown httpd config.inc.php; chmod 400 config.inc.php This of course implies that you trust your sudoers ... Peter Kerr |