On Tuesday, November 4, 2003, at 05:40 AM, Nick Harring wrote:
Actually, this is already a right place to put this, which is in randltr. Oddly that's what's used for generating the salt, but not what's used for generating the password. Instead the password just uses an ugly rand call.
I'd change vgen_pass to do this:

for (i = 0; i < len; i++) {
     k = randltr();
     p[i] = gen_chars[k];
return p;

randltr selects from 64 valid salt characters. The password generator pulls from a larger selection of possible characters.

I'd even consider modifying the random password generator to not use letters that can be confused with each other (1/I/l and 0/O).

Also, randltr is relying on something else to seed srand, which is really a bad idea. One mistake and suddenly everyone's vpopmail everywhere is seeding with 1. Oops.

randltr is only used by mkpasswd3() which seeds srandom. You need to be careful to seed rand/random only once.

I agree that we should use /dev/urandom (or /dev/random) if available. The code should read in enough bytes to generate an entire salt or random password (however the case may be). I'm willing to explore adding this to the next development cycle. Right now, I want to get a 5.3.30 release done (and maybe even call it 5.4.0-pre1) so we can have a stable release for people who've been waiting to upgrade from 5.2.2.

I'll still say that I think this is overkill. I find it extremely unlikely that someone could determine the random password generated by vpopmail.

Tom Collins  -  [EMAIL PROTECTED]
Note: The Tom Logic offices will be closed October 23 to November 18.
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/

Reply via email to