Login functionality

Thomas Sutton thsutton at tasmaniac.net
Tue Feb 17 21:52:16 PST 2004


On Wed, 2004-02-18 at 15:05, Archaic wrote:
> On Tue, Feb 17, 2004 at 05:34:37PM -0400, Anderson Lizardo wrote:
> > 
> > AFAIK, the actual failed login name doesn't appear on the auth.log for
> > security reasons. Often people type their password as login name by
> > accident so anyone with access to the log file (including malicious
> > administrators) can get the plain text password there and try the same
> > password e.g. on HotMail accounts ;)
> 
> Makes sense... somewhat. However, a malicious admin causes all bets to
> be off, so I wouldn't use that line of reasoning for not implementing
> this feature.
> 
> Any one else want to chime in?
Same reason, different justification. The high probability that a user
will, at some point, enter a valid (or near valid) password as a login
name makes it almost certain that passwords would find their way into
the log. With this almost certainty, how confident can we be that we are
able to keep the log files entirely confidential? What about when we are
logging across a network (and another attackable OpenSSL hole comes
out)?

While it would be helpful to be able to spot name guessing attempts, it
does present IMHO an unnecessary risk. If the risk of password
confidentiality compromises is to be accepted in this instance, we will
need to ask ourselves, "How many is too many?" Every such exception
increases the risk at which we put ourselves and our users. When does
the combined increase in risk negate the individual benefits each
compromise provides?

For this sort of feature to be safe, I think it would be best to wait
until we have MAC support (and turn it on). Or note it as unsafe without
such and let people decide if they want to take the chance that a bug
will allow an attacker to gain access to their logs (which should not be
readable in any case).

Just my $AU20.00 ($US0.02 :-)

Regards,
Thomas Sutton




More information about the hlfs-dev mailing list