[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Thoughts about network-console

(No need to CC on replies: I read the list.)

On Thursday 05 August 2010, Thibaut Girka wrote:
> If you're talking about user-setup, they are cleared, that the first
> thing I've checked (better done that checking network-console, it seems)
> before sending this mail.

With user-setup the passwords are asked by a different (much earlier [1]) 
script than the one that creates the accounts and sets the passwords. So 
they *must* be in the debconf database for at least the time in between.

The fact that they are cleared afterwards - only at the very, very end of 
the installation: just before the reboot - seems to me like a mostly empty 
gesture. At least for the attack vector you were concerned about.

[1] The asking of the passwords was recently moved forward quite a bit for 

Reply to: