[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cleartext password in login-failure message
From: |
Larry Jones |
Subject: |
Re: Cleartext password in login-failure message |
Date: |
Tue, 11 Nov 2003 12:22:47 -0500 (EST) |
Ross Patterson writes:
>
> When a user attempts to log in to a remote repository via pserver with the
> wrong password, CVS writes a message to the LOG_AUTHPRIV syslog() facility
> containing the incorrect password. As a bonus, if you're running release
> 1.11.6 or later, I believe it also includes the correct password - we're not
> there yet, but that's the way the src/server.c looks to me.
It includes the *crypted* versions of the entered password and the
correct password, not the plain text. In fact, there's no way to
determine the plain text of the correct password -- the encryption is
one-way. And it carefully avoids logging the plain text of the entered
password because the failure might well be the result of a simple,
easily guessed typo.
> I know a proper syslogd setup will send LOG_AUTHPRIV messages to someplace
> secure (e.g. /var/log/secure on Red Hat Linux), but it still seems wrong to
> include either password in the message. Doubly wrong if you're using system
> passwords to secure CVS.
That's the whole point of LOG_AUTHPRIV -- to have a place to log
sensitive information that shouldn't be public, but can be very
important for debugging. I don't know of any system that provides the
facility that doesn't also have it set up securely in the default
syslogd configuration.
> Can we please consider suppressing the passwords, at least optionally?
I think you're overreacting; the logged information isn't that sensitive.
-Larry Jones
Hmm... That might not be politic. -- Calvin