cwinebrinner at lmtc.net
Tue Feb 17 22:50:22 PST 2004
Hello, this is my first time posting to this list, though I have been
reading it for a while.
IMO, I think it depends on the system and what the system is going to
be used for. If it's a single user system or one with a close-knit
group of users, I think the logging of the failed usernames would be
great. But, for instance, if it's a system with a lot of users and someone
somehow gains access to the log, then that could be a major problem,
because there are a lot of people that use the same password for everything.
If the hacker can associate their usernames on the machine to external
accounts, then he will have complete access to all of their other accounts.
It sounds kind of risky for your users and for their sake, I do not think
I would log such access attempts.
BTW, sorry if this message isn't formatted properly. I manually wrapped
the text, because I am using Outlook to send this. I am in the process
or re-installing linux to my desktop after the HD went bad. Still have
several servers running LFS tho...
> Same reason, different justification. The high probability that a user
> will, at some point, enter a valid (or near valid) password as a login
> name makes it almost certain that passwords would find their way into
> the log. With this almost certainty, how confident can we be that we are
> able to keep the log files entirely confidential? What about when we are
> logging across a network (and another attackable OpenSSL hole comes
> While it would be helpful to be able to spot name guessing attempts, it
> does present IMHO an unnecessary risk. If the risk of password
> confidentiality compromises is to be accepted in this instance, we will
> need to ask ourselves, "How many is too many?" Every such exception
> increases the risk at which we put ourselves and our users. When does
> the combined increase in risk negate the individual benefits each
> compromise provides?
> For this sort of feature to be safe, I think it would be best to wait
> until we have MAC support (and turn it on). Or note it as unsafe without
> such and let people decide if they want to take the chance that a bug
> will allow an attacker to gain access to their logs (which should not be
> readable in any case).
> Just my $AU20.00 ($US0.02 :-)
> Thomas Sutton
More information about the hlfs-dev