[Alpine-info] Alpine .pine-passfile
Dan Mahoney, System Admin
danm at prime.gushi.org
Thu Sep 25 10:46:12 PDT 2008
On Thu, 25 Sep 2008, damion.yates at gmail.com wrote:
> On Sat, 9 Aug 2008, Robert Wolf wrote:
> [other stuff trimmed]
>> because I have about 20 accounts, I start alpine on Linux in screen
>> session and before I detach from screen, I lock alpine using Keyboard
>> Lock (M K). Next time I attach back to screen session, I need to enter
>> this password. And alpine remember all passwords for all accounts.
Out of curiosity, why aren't you just using screen's locking functions
>> Steve, could you tell me (or to other people too), how secure are mail
>> account passwords stored in memory, and how secure is the KBlock
>> password stored?
>> Is it possible, that someone (at least root) can read account
>> passwords from memory?
>> Is it possible, that someone (at least root) can find the KBlock
>> password for alpine in memory, attach screen and unlock my running
>> alpine and read my emails?
> I too was recently quite worried that somebody might root my box and
> gdb -p <processID_of_alpine>
> ...then work some voodoo and pull the plain text password from ram.
> I've not managed to find the right voodoo myself on this (I obviously
> have root), and just put my worries aside and constantly keep my box
> patched or upgraded. But I'm still curious how easy this is.
Try killing alpine with a signal like SIGABRT and running "strings" on the
What might be smart is if Alpine, on doing a KBLock, used the password to
xor-encrypt all stored passwords (including the KBlock password). Or if
it were possible to store your passfile in some encrypted format (as ssh
keys can be). I don't know if Alpine does any of this, or if simple
XOR-encryption is strong enough crypto to limit export.
"Long live little fat girls!"
-Recent Taco Bell Ad Slogan, Literally Translated. (Viva Gorditas)
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
More information about the Alpine-info