Login functionality

Dagmar d'Surreal dagmar.wants at nospam.com
Wed Feb 18 01:57:57 PST 2004


On Tue, 2004-02-17 at 23:57, ken_i_m at elegantinnovations.net wrote:
> On Wed, Feb 18, 2004 at 12:44:17AM -0500, Christopher Chumbley (cjchumbley at hotmail.com) wrote:
> > I agree that with a malicious admin all bets are are off.  On the other 
> > hand, I have seen too many stupid and/or lazy admins and the ablility to 
> > search through a log file for "admin/Godd" or to look for any other login 
> > failures and see the username/password pairs really just isn't an 
> > acceptable security risk. IMHO of course...
> [wrapping added :-( ]
> 
> A non-admin user being able to read logs is a misconfiguration.  This is 
> sysadmin 101 basic stuff.  If you have an admin this stupid/lazy you got 
> alot more serious problems then users exploiting logs.

Still, _someone_ needs to be looking at the logs, so on the rather
common chance that an idiot types their password into the username
field, it must _not_ be stored in plaintext, and to prevent reducing the
"secretness" of the password, it would need to be ciphered at least as
well as the entry in the shadow file--for obvious reasons this isn't
useful either, so the sensible result is that usernames from failed
logins on the console are _not_ logged.  (Telnet is something people
shouldn't use anymore anyway)
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list