Re: Cleartext password in login-failure message

[Larry Jones]

Ross Patterson writes:
> 
> When a user attempts to log in to a remote repository via pserver with the 
> wrong password, CVS writes a message to the LOG_AUTHPRIV syslog() facility 
> containing the incorrect password.  As a bonus, if you're running release 
> 1.11.6 or later, I believe it also includes the correct password - we're not 
> there yet, but that's the way the src/server.c looks to me.

It includes the *crypted* versions of the entered password and the
correct password, not the plain text.  In fact, there's no way to
determine the plain text of the correct password -- the encryption is
one-way.  And it carefully avoids logging the plain text of the entered
password because the failure might well be the result of a simple,
easily guessed typo.

> I know a proper syslogd setup will send LOG_AUTHPRIV messages to someplace 
> secure (e.g. /var/log/secure on Red Hat Linux), but it still seems wrong to 
> include either password in the message.  Doubly wrong if you're using system 
> passwords to secure CVS.

That's the whole point of LOG_AUTHPRIV -- to have a place to log
sensitive information that shouldn't be public, but can be very
important for debugging.  I don't know of any system that provides the
facility that doesn't also have it set up securely in the default
syslogd configuration.  

> Can we please consider suppressing the passwords, at least optionally?

I think you're overreacting; the logged information isn't that sensitive.

-Larry Jones

Hmm... That might not be politic. -- Calvin