On Tuesday 08 May 2012 00:33:19 you wrote: > Hello > > On Mon, May 7, 2012 at 4:41 PM, Tito <[email protected]> wrote: > > as plaintext passwords are not widely used nowadays, > > do you plan to store the shared secret encrypted? > > Unfortunately, it is not possible if instead of encryption you mean > hash (ex: md5, like in /etc/passwd)
So if you plan to allow users to change their secret this file would be readable by all, better store the secret in the users directory than, there it is somewhat protected and you don't have all the trouble about concurrent secret changing attempts. A simple: dd if=/dev/random bs=1 count=100 | md5sum | tr -d '-' > secret 100+0 records in 100+0 records out 100 bytes (100 B) copied, 0.000428655 s, 233 kB/s maybe could be enough to generate a new secret cat secret 1f0aa3a39002fd57a14bdac2c50c3cdb > The encryption must be easily reversable to compute the response to a > given pin. But then, it might become complicated and pointless (ex: it > is just a rot-13, or if you need a key, do you store the decryption > key in a file in /etc ? In busybox binary? In any case it could be > found out and neglect the benefits. Even worse, it offers a false > sense of security) > > Moreover, the shared secret is not a password. If you don't know the > pin, you can not guess the challenge response. You guess the time if the server is syncronized with some ntp service, you can peek at the shared secret if you have another account on the server or some malicious software on the client you snoop the pin e.g. man in the middle attack if sent by http or brute force it, 4-5 digits are max 99999 (if only numbers). > > There is sendmail in busybox. > > From what I've seen, the sendmail depends on a smarthost (ex: smtp.gmail.com) > > DMA does everything itself - it connect to port 25, etc. I use this at > home without any problem, since my SPF is configured and the reverse > DNS points back to my domain. DMA doesn't do anything else (ex: there > is no queue) - it just sends email to external domains, which is > usefull to send a pin ;-) > > Guylhem > Ciao, Tito _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
