Topic: E-smith-manager security

[try2break]

So now that we have SSL for Webmail (yeehaw!), hows about enabling SSL for the web admin on port 980?  This seems a step down from 4.0 w/ SSL upgrade.  In that one, e-smith-manager ran on the same daemon on port 80.  It also seems to me to be a major security flaw.

[Justin]

>>It also seems to me to be a major security flaw.

The old version running on port 80 or the new one running on port 980? I am not sure where your concerns are?

[try2break]

The new 4.1 is not secure because it transmits plain text passwords over the network on port 980.  Its seems the SSL module is not loaded for the httpd on 980.  Am I the only one worried about this?
For now I just SSH in and use the lynx text browser, but this is not ideal because I cant get to SSH from just any computer without a hassle.  SSL is on every somputer attached to the Net.

[Charlie Brady]

try2break wrote:
 
> So now that we have SSL for Webmail (yeehaw!), hows about
> enabling SSL for the web admin on port 980?  This seems a
> step down from 4.0 w/ SSL upgrade.  In that one,
> e-smith-manager ran on the same daemon on port 80.  It also
> seems to me to be a major security flaw.

If you are concerned about password sniffing on your LAN, you should do administration directly on the console and/or you should install a switched network. e-smith had intended to support SSL for the e-smith-manager in a version 4.1. Unfortunately the e-smith development resources are finite, and SSL for the manager had to give way for other features that customers considered more important. It will be a feature of a future release.

If you develop this yourself, we'd be very happy to accept your code contribution.

Regards

Charlie