The module system was never really documented, just a few dated (mostly vague) threads. Even if one managed to write a module, encrypting the UserIdTable would end up being more of a nuisance in the long run.
For example, if the user names were encrypted with symmetric cipher you would need an encryption key. This introduces new problems, where will the key be stored? If the key is defined in the ioFTPD.ini, all the intruder has to do is grab the key along with the UserIdTable to decrypt it. Alternatively, you could have ioFTPD prompt you for the key on start-up, but this destroys the purpose of a daemon (a background task that does not require user interaction).
Now, if one took the time to develop a realistic threat model, encrypting user names would be the least of your worries. Think about all the other points of entry and threats (e.g. uneducated and untrustworthy users).
In my opinion, Harm's idea (using NTFSâs encryption and ACL functionality) is probably sufficient.
|