[Mailman-Developers] Hashing member passwords in config.pck
John Dennis
jdennis at redhat.com
Thu Feb 10 18:32:50 CET 2005
My suggestion would be:
1) As soon as possible post MM 2.1.6 with the security patch.
2) Quickly follow up with MM 2.1.7 with the member passwords hashed. At
the same time I think we should implement the stronger password
generation suggested in this open advisory against mailman.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-1143
I believe this will need a little support in configure.in to detect and
be able to utilize the presence of /dev/urandom with an appropriate fall
back in its absence.
One of my hesitations to injecting the stronger password generation into
mailman was the resulting password is then sent in the clear via SMTP,
the same is true for the "lost password" feature, and the monthly
password reminders. Until all these clear transmissions of passwords are
turned off stronger password generation seems a moot point to me. Thus I
agree with Barry, turn off the monthly reminders, "mail my password to
me" needs to be changed to generate a new password (using the stronger
mechanism in CAN-2004-1143), AND the generated password sent in the
clear needs to expire in a configurable amount of time (default = 8
hours?) and with first use (e.g. must reset password) so that any
password sent in the clear has very limited utility.
Then in the MM 3.0 time frame the entire mailman security framework
should be revisited, there are many security issues that should be
addressed. At a minimum the suggestion of supporting alternate
authentication mechanisms (e.g. pam, ldap, kerberos, etc.) should be
implemented. In my mind, this is too radical for a 2.1.x release. 3.0 is
the right time debut a more configurable and robust security framework.
--
John Dennis <jdennis at redhat.com>
More information about the Mailman-Developers
mailing list