Login functionality

Tarek W. mailinglists1 at hotpop.com
Wed Feb 18 10:39:33 PST 2004


On Wed, 2004-02-18 at 16:32, Harley J Pig wrote:
> On Wed, Feb 18, 2004 at 04:52:16PM +1100, Thomas Sutton wrote:
> > Same reason, different justification. The high probability that a user
> > will, at some point, enter a valid (or near valid) password as a login
> > name makes it almost certain that passwords would find their way into
> 
> Some good points, but I agree with the attitude that it's the admin's
> responsibility.  If we try to prevent everything we'll just end up trying
> to be like microsoft.
> 
> Alan

very well put, security through obscurity rather than trusting the
administrator is just plain wrong.

log the username.

/me scratches head

how bout logging the username only if the username matches an entry in
/etc/passwd. that way, UNKNOWN is a more narrow array of possibilities,
either it's somebody's pass or an attack or a mistyped username (the
latter can be dismissed by the frequency of log entries, the more log
entries, the more probability is was an attack)




More information about the hlfs-dev mailing list