On Fri, Mar 16, 2007 at 05:45:58PM +0100, Joerg Sonnenberger wrote: > On Fri, Mar 16, 2007 at 05:17:43PM +0100, Grzegorz B?ach wrote: > > a) chg default password_format do blowfish since there are known > > algoritm of collision for md5. > > IMO the MD5 collision attacks for overrated and might not even apply in > this area as this is multi-round procesising. > > > c) add support for openwall tcb - the alternative to shadow (with pam > > module) which is more secure than pam_unix and pam_pwdb, because tools > > like 'passwd' or 'chage' don't neet SUID, instead it use SGID 'shadow'. > > Group 'auth' may be used to read-only access to all password hashes. > > HAHA. This is a good one. It is more secure to not run tools which > manipulate the password db as root? If I can control any of this tools > to execute code with sgid shadow, I can just manipulate the root record > anyway. Sorry to be harsh. > > > 2. > > a) Replace sendmail with postfix (with cyrus-sasl). It is faster and use > > cleaner config file. > > ...and cyrs-sasl is a complete mess. Please read the archive on this. > > > b) Add imap-uw as simple pop3 and imap4 daemon.A > > c) Add stunnel for SSL/TLS access to mail-related daemon. > > Objected. Not essential, you can easily install them from pkgsrc or > other means.
Christ, man. I thought you guys wanted to encourage participation. Brett > > Joerg