forked from wdoekes/pam-imap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathBUGS
54 lines (40 loc) · 1.97 KB
/
BUGS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
BUGS BUGS BUGS...
-- 0.3.6: hashing table uses DES encryption for now... not too secure
-- FIXED using MD5 encryption now
-- 0.3.5: this version kind of got lost in the development process :)
Skipped to 0.3.6
-- The server connect failover has not been thoroghly tested
-- BUG FIXED
When the server rollover hits the very last server,
I was having problems with some string checking for NULL,
causing pam_imap.so to segfault when there were no servers
left to check... FIXED as of 0.3.4
-- Disallowed NULL passwords as of 0.3.4 --
Explanation: If you type in a username, before PAM asks
you for your password (IE: sm_authenticate() called )
it sends a NULL (as in '\0') password to each authentication
module. This is why you see lines in your /var/log/messages
that have something similar to
"sshd(pam_unix)[22126]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost="
This is because PAM is being a butthole for some reason. This
fix is a workaround for not hitting the IMAP server with
a failed login EVERYTIME you want to log in.... it also
makes the login process painfully slow.
FIXED.
-- Security possiblity: If hostnames are used in pam_imap.conf
there may be opportunities for DNS hacking to spoof
a malicious IMAP server that accepts a username/password
Quick & Dirty solution: Use IP addresses instead of
hostnames in pam_imap.conf
Elegant solution: Code pam_imap to only allow IP adresses
-- Bug related to this: If a hostname is "unknown" to the
client, then the module will segfault. (somewhere in strcpy() )
--FIXED
-- And, of course, if you use IMAP w/o SSL, that's just a whole
can of worms there.
More??? If you find any, please email Cal Heldenbrand
How about this? Anyone that finds bugs in the code will WIN...
... a pat on the back. ;-) If you send a patch, you will WIN...
... another pat on the back, and, a Snackey Smore.
Please read the BUG SUBMISSION section in the README file