[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Self compiling and login failure messages
|
From: |
Larry Jones |
|
Subject: |
Re: Self compiling and login failure messages |
|
Date: |
Thu, 6 Mar 2003 11:18:09 -0500 (EST) |
Wolfgang Mettbach writes:
>
> I downloaded the latest source code to get rid of the security bugs hanging
> around in older versions. After compiling I noticed messages about login
> failures in the syslog file. This wouldn't be bad if the used password wasn't
> written there unencrypted. If someone just mistypes one single character of
> his/her password it would be very easy to crack the real password.
>
> How do I get rid of these messages? Do I have to modify the source code or is
> there an option that can be used when compiling that I haven't found yet?
Fix your syslog configuration. CVS syslogs actual passwords using the
"authpriv" facility (if your syslog doesn't support that facility, CVS
doesn't log the actual passwords). The authpriv facility is defined as
authorization messages (like login failures) containing sensitive
information, so they should be logged to a file readable only by root
(or other trusted individuals); they should *NOT* be logged to the
normal syslog file. You need to add a line something like:
authpriv.* /var/log/secure
near the top of your /etc/syslog.conf (where /var/log/secure has
appropriate permissions). Heaven only know what other kinds of
sensitive information you're publishing in your syslog.
-Larry Jones
I think grown-ups just ACT like they know what they're doing. -- Calvin