[Alpine-info] Alpine .pine-passfile

Dan Mahoney, System Admin danm at prime.gushi.org
Thu Sep 25 10:46:12 PDT 2008

Previous message: [Alpine-info] Alpine .pine-passfile
Next message: [Alpine-info] Alpine .pine-passfile
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 25 Sep 2008, damion.yates at gmail.com wrote:

> On Sat, 9 Aug 2008, Robert Wolf wrote:

>

> [other stuff trimmed]

>

>> because I have about 20 accounts, I start alpine on Linux in screen

>> session and before I detach from screen, I lock alpine using Keyboard

>> Lock (M K). Next time I attach back to screen session, I need to enter

>> this password. And alpine remember all passwords for all accounts.

Out of curiosity, why aren't you just using screen's locking functions
built-in?

>> Steve, could you tell me (or to other people too), how secure are mail

>> account passwords stored in memory, and how secure is the KBlock

>> password stored?

>>

>> Is it possible, that someone (at least root) can read account

>> passwords from memory?

>>

>> Is it possible, that someone (at least root) can find the KBlock

>> password for alpine in memory, attach screen and unlock my running

>> alpine and read my emails?

>

> I too was recently quite worried that somebody might root my box and

> gdb -p <processID_of_alpine>

> ...then work some voodoo and pull the plain text password from ram.

>

> I've not managed to find the right voodoo myself on this (I obviously

> have root), and just put my worries aside and constantly keep my box

> patched or upgraded. But I'm still curious how easy this is.

Try killing alpine with a signal like SIGABRT and running "strings" on the
resultant corefile.

What might be smart is if Alpine, on doing a KBLock, used the password to
xor-encrypt all stored passwords (including the KBlock password). Or if
it were possible to store your passfile in some encrypted format (as ssh
keys can be). I don't know if Alpine does any of this, or if simple
XOR-encryption is strong enough crypto to limit export.

-Dan

--

"Long live little fat girls!"

-Recent Taco Bell Ad Slogan, Literally Translated. (Viva Gorditas)

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------

Previous message: [Alpine-info] Alpine .pine-passfile
Next message: [Alpine-info] Alpine .pine-passfile
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Alpine-info mailing list