> -----Original Message-----
> From: Ken Jones [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 05, 2001 3:01 AM
> To: Gabriel Ambuehl
> Cc: [EMAIL PROTECTED]
> Subject: Re: Error trying to compile + new mysql replication release
>
> I guess we could do that. It would be easier to impliment a
> list of servers and go down the list untill one is found
> that accepts the connection.
That works for me, there's even a dbping function you can use to do that.
You can see it used in my cdb-mysql patches.
> Which brings up another point. Where do the servers get
> defined. Currently they are compiled in via the vmysql.h
> file. Which is easy to implement.
I prefer to have them defined in a configuration file. I don't worry about
the fact that users "could" view the file because on a vpopmail system with
each domain stored in a /etc/passwd user, it's pretty insecure to just allow
users to interactively log into the system. I just plain don't allow it so I
don't mind having a config file floating around with the password in it.
Back in the day when I had to provide telnet/SSH logins I just created a
seperate machine for that purpose and everyone else should take that advise
to heart.
> Another option would be to put the list of servers in some
> configuration file that would get parsed. But I can't see
> a secure way to attempt to hide the passwords.
That's because you can't. If you crypt them then you can't present the
cleartext version for the challenge. The password must be stored clear text.
> Since domains
> can be stored under any /etc/passwd account, then any user
> on the system would need to have access to the file hence
> they could find the login information.
> Anyone have any thoughts about this? It would be great
> to be able to compile one binary and use it on multiple
> machines with different mysql server auth info.
>
> Ken Jones
Which is what I do, and that necessitates having a config file. I suppose
you could be really silly about it and hash the password using something
like Cisco's level 7 that you can easily decrypt but if you can easily
decrypt it, so can someone else. So, I say don't worry about and don't let
users log into your mail server(s) interactively.
Matt
