Great Circle Associates Firewalls
(December 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: APOP and secret storage
From: Phil Cox <pcc @ stealth . ran . sandia . gov>
Date: Fri, 13 Dec 1996 14:57:06 -0800 (PST)
To: firewalls @ greatcircle . com 
I have been looking at APOP for external authentication on POP3 servers.
In looking at this I found that the "shared secret", which is usually the
users login password, is basically stored in the clear. It is run through
a program called "obscure" (qpopper) which just does an exclusive "OR" of
each character with the hex value "ff". Does this sit weird with anyone
else.

I also wonder how this plays out with the gauntlet POP3 proxy as well. I
know that they store some psudo-APOP information. Is this also effectively
stored in clear text?

What other methods (if any) are people using to "authenticate" external
pop clients through a firewall?


-Phil

* Philip C. Cox               |       Quote of the Day:              *
* pcox @
 sandia .
 gov             | "Character : the decisions a person  *
* PAGER: (510) 355-5222       |  makes when the choice is not        *
* VOICE: (510) 294-3149       |  obvious."                           *
Indexed By Date Previous: Re: IPfwadm & Linux
From: Todd Graham Lewis <lists @ reflections . mindspring . com>
Next: Re: RADIUS servers
From: William Bulley <web @ merit . edu>
Indexed By Thread Previous: Re: firewall open when loading policy
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Next: mail proxy agents
From: "Craig I. Hagan" <hagan @ cih . com>
Google
 
Search Internet Search www.greatcircle.com