[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cleartext password in login-failure message

From: Ross Patterson
Subject: Re: Cleartext password in login-failure message
Date: Tue, 11 Nov 2003 14:14:04 -0500
User-agent: KMail/1.4.3

On Tuesday 11 November 2003 12:22 pm, Larry Jones wrote:
> It includes the *crypted* versions of the entered password and the
> correct password, not the plain text.  

Yeah, that should have been obvious, but having read the older source I guess 
I just missed it.

> And it carefully avoids logging the plain text of the entered
> password because the failure might well be the result of a simple,
> easily guessed typo.

Right, that's what drew my attention in the first place.  Red Hat Linux comes 
with CVS 1.11.2, and at that level the cleartext bad password is indeed 
logged ("syslog (LOG_AUTHPRIV | LOG_NOTICE, "login failure by %s / %s (for 
%s)", username, descrambled_password, repository);").

> That's the whole point of LOG_AUTHPRIV -- to have a place to log
> sensitive information that shouldn't be public, but can be very
> important for debugging.  I don't know of any system that provides the
> facility that doesn't also have it set up securely in the default
> syslogd configuration.
> I think you're overreacting; the logged information isn't that sensitive.

Cleartext passwords, even the wrong ones, are too sensitive to log.  Not even 
root should be able to get that kind of information.  But since this has 
already been fixed at a more-recent release, CVS is in good shape.
Ross A. Patterson
Chief Technology Officer
CatchFIRE Systems, Inc.
5885 Trinity Parkway, Suite 220
Centreville, VA  20120
(703) 563-4164

reply via email to

[Prev in Thread] Current Thread [Next in Thread]