stevehaskew
commented
6 years ago I have inverted the logic as suggested by @davidc - we refuse to use the insecure login unless the user specifically requests it.
Closed stevehaskew closed 6 years ago
stevehaskew
commented
6 years ago I have inverted the logic as suggested by @davidc - we refuse to use the insecure login unless the user specifically requests it.
stevehaskew
commented
6 years ago I've merged in the accepted SSL changes, since I wrote both branches and there would be a merge conflict if we merged this in the previous state.
jgoclawski
commented
6 years ago @kramarz what do we do with #33? I think it should be dropped in favour of this PR.
stevehaskew
commented
6 years ago What do people think about displaying a warning when using plaintext login without SSL? It seems to fit with other packages I have used in the past when using a "dangerous" option.
jgoclawski
commented
6 years ago @stevehaskew I'm not so sure about this idea. In our organization for example, we connect with routers via VPN. The bottom line is that there are many ways to secure the communication and SSL is only one of them. I think the scope of this package should not be to teach about security best practices and assume that people already know them.
kramarz
commented
6 years ago @jgoclawski I think it is ready to release now.
Some basic support for the new post-v6.43 login method. As suggested by the community, it attempts to use the new method and falls back to the old one in case of getting a challenge response. I have added an option for forcing the old login method, since there are many cases where it is undesirable to send the password in plain-text over the Internet. I would recommend always using SSL when using this new login.