BTW, while working on this bug, I also chased up another comment in the bug log:
> The other issue is that you store a sensitive password (allowing write to > the ldap directory) in debconf, without appropriate encryption - that > stuff should generally not be stored and used to overwrite the > pam_ldap.secret file. I'd prefer if it asked for the password once on > initial install, and never touched it again, or at the very minimum should > prompt each time before overwriting it. The password questions in libpam-ldap are correctly marked as being of type 'password', which means that they are only stored in the file /var/cache/debconf/passwords.dat, which is root-only. Therefore the passwords stored in debconf have the same security as the passwords stored in the config file in /etc/, and there is nothing in need of changing here. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
