[ILUG] fetchmail security...
Paul Jakma
paul at clubi.ie
Thu Jan 17 11:10:40 GMT 2002
On Thu, 17 Jan 2002, John Kelly wrote:
> Anyone who's acquired the 0600 permissions needed to read your
> .fetchmailrc file will be able to run fetchmail as you anyway -- and if
> it's your password they're after, they'd be able to rip the necessary
> decoder out of the fetchmail code itself to get it.
but what kevin's done is to move authentication, nay the whole
transport, completely outside of fetchmail. whether that other
transport is secure no longer has any revelance to fetchmail.
i suspect in kevin's the security is now dependent on access to his
ssh key and passphrase or to his ssh-agent process (which kevin has
had to supply his key passphrase to and hopefully wouldnt be running
if kevin wasnt there).
now kevin only has to worry about keeping ssh secure, rather than ssh
/and/ fetchmail. and as ssh security is a lot more 'visible' and
probably interactive (definitely in kevin's case iirc) this is
probably a win.
regards,
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
Fortune:
Lawrence Radiation Laboratory keeps all its data in an old gray trunk.
More information about the ILUG
mailing list