On Sun, 2 Apr 1995, John F. Haugh II wrote: > > [ ...Lots of stuff about ftpd logging user's passwords... ] > > Whenever I get to the office (or get my phone line to be available ...) > .... > problem ...), it would seem that somebody reported the problem to bugtraq > before bothering to report it to the vendor. Not cool -- no fair > complaining vendors are unresponsive if you don't give them first crack. I have actually sent a fax off to the AIX Support Centre here in the UK, which was done about the same time as I sent the mail to bugtraq. My intention was to highlight what I see as a problem to the rest of the subscribers, and not to complain about the way IBM code works. And I certainly never complained about IBM being unresponsive.... not yet anyway! :) > However, given the way the data is presented, my guess is that you > can't get around this problem. My inclination is to believe that you've > gotten what you asked for -- every command and response exactly as it > is received by the server. I don't agree. Yes, I want to see what the users are doing, and what files are being downloaded, but I consider it to be bad security to store any password in plaintext (except from the user ftp/anonymous of course), even if it is into a log file protected by root permissions. > If that's the case, a change in documentation > is all that is really required. In either case, I will speak with the > component owner and release manager and see about doing something to ftpd. > No promises, tho. I, for one, would be happier :-) - Dave. -------------------+------------------------------------------------------ Dave Roberts | Don't `surf the net', it's sad. Get a board and surf djr@saa-cons.co.uk | the break. "I feel better than James Brown"