$HOME/.usermin/inbox.imap - Why the plaintext PW?

5 posts / 0 new
Last post
#1 Mon, 07/07/2008 - 12:34
maxslug

$HOME/.usermin/inbox.imap - Why the plaintext PW?

I just stumbled onto the file $HOME/.usermin/inbox.imap, and inside it has the plaintext copy of the password for that account. On both the main user and the sub accounts.

What is this file used for, and can it be safely removed? I'm really not a fan of having plaintext passwords laying around for every account on my box.

Thanks in advance, -m

Mon, 07/07/2008 - 13:33
ronald
ronald's picture

i suppose it is for the email client (such as thunderbird or outlook express) to authenticate when logging in for checking for any new mails.
The password for awstats is also plaintext.

in dovecots module config you can also use other ways however you need to do some configuration and Im not too familiar with this.

No one but the owner should be able to open that file IF your server is reasonably protected (which it is not by default and never assume it is)<br><br>Post edited by: ronald, at: 2008/07/07 14:01

Tue, 07/08/2008 - 13:32 (Reply to #2)
maxslug

these days it's getting harder and harder to keep a file system protected completely. Now my box is actually a xen instance -- who knows who can mount my partition w/out me knowing or any number of security compromises.

I'm just hoping that all services can authenticate against PAM or /etc/shadow and that there is no need for plaintext laying around, but maybe that's a lot to ask for.

-m

Tue, 07/08/2008 - 16:54 (Reply to #3)
ronald
ronald's picture

in the users and groups module is an option to conceal plain passwords. perhaps that helps, i do not know
also you can have dovecot use md5/encrypted passwords (for the imap)

Wed, 07/09/2008 - 08:27 (Reply to #4)
maxslug

Thanks for the ideas.

Looks like the option is to just hide the passwords in the web front-end,
and the imap option is for authentication methods, not for local storage.

dovecot is already configured to use PAM, so it does not need to store any passwords, just ask for credentials from PAM.

So i'm still left wondering what process is using this plain-text password file?

Topic locked