Bob van der Kamp ([EMAIL PROTECTED]) wrote: > > > But what about during the login process? When the user types in his password > it can be "converted" to sha.
That's the same concept as with the imap daemon, putting a trojan in 'login' to capture and convert passwords on the fly. I was considering that most of these large mail servers are virtual user environments which do not actually provide shell access to users, so that's why I mentioned the IMAP/POP daemons. If the users have shell access, it's even easier. Just write a small program that asks for a password two times, outputs the hash of your choice into a file named by their username in a directory only readable by root. You can probably write something in 10 lines of perl. Send an email to the users asking them to run the program, and check the directory contents every so often against your password list. Send more emails to the ones who haven't done it yet as necessary. -- Mike
