[freeside] exporting shell ???

ivan ivan at 420.am
Mon Jun 17 11:07:40 PDT 2002


On Mon, Jun 17, 2002 at 12:46:19PM -0500, Dave Burgess wrote:
> I've been playing around with poppassd, which might get us off the horns of
> the dilemma.  Basically, a telnet session to the specified port is set up, and
> the user's password can then be changed without any sniffable interaction.
> 
> My theory would be that the system would install the user with a default
> password (I don't know how poppassd would handle the current default of "*")
> and then immediately replace the password with the one specified in the
> password field.

Seems like a security risk; albeit one with a small window of opportunity,
but I'd like to avoid that as well.

> 
> I can't do anything with it (in terms of installation) right today, but it is
> simple enough to find and install.
> 
> Dave
> 
> ivan wrote:
> 
> > On Tue, Jun 18, 2002 at 12:43:05AM +1000, Mario wrote:
> > > Can someone please explain to me why when you export via the
> > > shellcommands, useradd etc, that it does not pass the password ??
> >
> > Passwords should *not* be used on the command line.  This is a security
> > risk as they are sniffable with ps(1).
> >
> > > This seems extremely perculiar to me, as if i go to add a dialup
> > > account, i want to bill them via email, so the username/password is
> > > entered
> > > exported to my IC Radius database, but the shellcommand only creates the
> > > username, and no password associated, rendering the account unusable.
> > >
> > > Is there a way around this ??
> >
> > I'd like for the shellcommands exports have an option for stuff to be
> > passed on STDIN.
> >
> > > I would very much like to hear from the developers and Ivan on this one,
> > > as well as everyone else out there and exactly what type of applications
> > > and scenarios that you are all using freeside with for such
> > > circumstances???
> > >
> > > how do you go about adding email / hosting accounts when the passwords
> > > cannot be exported also ?? etc etc, i would really like to get a lot of
> > > peoples
> > > feedback from this, while i sit here and ponder on it
> >
> > Which part of "prerelease software" are you having trouble
> > comprehending?  If the software doesn't work for you, and you're not able
> > to help out by sending patches or *new bugreports*, then use 1.3.1 and
> > pipe down until we've got a beta or a release version.
> >
> > --
> > _ivan
> 
> 

-- 
_ivan



More information about the freeside-users mailing list