From owner-freebsd-questions  Thu May  2 12:14:35 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from infinity.aesredfish.net (ns1.aesredfish.net [65.168.0.12])
	by hub.freebsd.org (Postfix) with ESMTP id 9BEFD37B41A
	for <questions@freebsd.org>; Thu,  2 May 2002 12:14:27 -0700 (PDT)
Received: from potentialtech.com (mhope-dhcp-65-168-1-181.dashfast.com [65.168.1.181])
	by infinity.aesredfish.net (8.11.6/8.11.0) with ESMTP id g42JE4U32757;
	Thu, 2 May 2002 15:14:04 -0400
Message-ID: <3CD19136.5040504@potentialtech.com>
Date: Thu, 02 May 2002 15:19:18 -0400
From: Bill Moran <wmoran@potentialtech.com>
Organization: Potential Technologies
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc1) Gecko/20020502
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: David Banning <david@skytrackercanada.com>
Cc: questions@freebsd.org
Subject: Re: security question
References: <20020502150908.A22313@mail.clubplus.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

David Banning wrote:
> I am running ssh. I am also running openwebmail.
> 
> If I want to collect my mail from the web using openwebmail, then
> people could see my password, and then log on as me with ssh.

Yup, very bad ... the Apache server was compromised a little while
back because of this kind of thing.

> What is a the best way to deal with this?

Depends on the exact circumstance

> I tried setting up a second user with nologin ability but the privileges
> are not in order for my mail box.

That would be an excellent solution.  Perhaps some research will uncover
a way to make the permissions work.

> I guess I could also run openwebmail with https?

That's better than clear text, although https' 128bit encryption is starting
to feel pretty weak in the light of 2ghz processors!


-- 
Bill Moran
Potential Technology
http://www.potentialtech.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message