cjchumbley at hotmail.com
Tue Feb 17 21:44:17 PST 2004
I agree that with a malicious admin all bets are are off. On the other hand, I have seen too many stupid and/or lazy admins and the ablility to search through a log file for "admin/Godd" or to look for any other login failures and see the username/password pairs really just isn't an acceptable security risk. IMHO of course...
----- Original Message -----
From: Archaic<mailto:archaic at indy.rr.com>
To: Hardened LFS Development List<mailto:hlfs-dev at linuxfromscratch.org>
Sent: Tuesday, February 17, 2004 11:05 PM
Subject: Re: Login functionality
On Tue, Feb 17, 2004 at 05:34:37PM -0400, Anderson Lizardo wrote:
> AFAIK, the actual failed login name doesn't appear on the auth.log for
> security reasons. Often people type their password as login name by
> accident so anyone with access to the log file (including malicious
> administrators) can get the plain text password there and try the same
> password e.g. on HotMail accounts ;)
Makes sense... somewhat. However, a malicious admin causes all bets to
be off, so I wouldn't use that line of reasoning for not implementing
Any one else want to chime in?
It is proper to take alarm at the first experiment on our liberties. We
hold this prudent jealousy to be the first duty of citizens and one of
the noblest characteristics of the late Revolution. The freemen of
America did not wait till usurped power had strengthened itself by
exercise and entangled the question in precedents. They saw all the
consequences in the principle, and they avoided the consequences by
denying the principle. We revere this lesson too much ... to forget it
- James Madison.
Unsubscribe: See the above information page
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the hlfs-dev