[Mailman-Developers] Alternate authentication mechanism (was ...
RELEASED Mailman 2.1 beta 5)
Donn Cave
donn@u.washington.edu
Thu Nov 21 17:41:12 2002
Quoth Terri Oda <terri@zone12.com>:
| On Wed, Nov 20, 2002 at 03:10:29PM -0500, Stonewall Ballard wrote:
...
|> Nobody on any of the lists I run would have a clue on how to use this.
| And to contrast, I've not only had people request this sort of thing, or
| express surprise that there is no secure way to do passwords, but I've also
| gotten mail from one user had some, um, choice words for the list
| administrators when she discovered that her password was sent in plaintext.
I think at our site, most fall into both categories. They're generally
not interested in computing technology of this kind and you can't make
them understand something they won't think about. But we've worked hard
enough to make them conscious of a password security issue here - I mean,
they will sense an incongruity.
As do we. Mailman is one of the few, if not the only, application at
our site that uses passwords, and we had to make a case for it. Part
of the deal is that we avoid password authentication for our own site
local users, so they (we hope) will not be tempted to set their Mailman
password the same as their site (Kerberos) password. Instead they use
their Kerberos password to authenticate to the site web authentication
service, whereupon they're authenticated automatically to Mailman (as
their Kerberos principal, which I map to mailman ID.) That's our fig
leaf.
Donn Cave, donn@u.washington.edu
More information about the Mailman-Developers
mailing list