[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#869773: xdm logs failed logins that may be sensitive

On Wed, Jul 26, 2017 at 11:51:10 +0200, Nicolas George wrote:

> Package: xdm
> Version: 1:1.1.11-3
> Severity: normal
> 
> Dear Maintainer,
> 
> When somebody tries to log in and fails, xdm writes the given user name in
> the system logs. Unfortunately, typing the password in the login field is a
> common mistake. When that happens, xdm logs it too. That leaves the
> password of an user in clear in the system logs. It is not very
> important, but still a little security concern since normally passwords
> are stored permanently on the system only in hashed form.
> 
> The corresponding log line looks like this:
> 
> Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXXXXXXXXXX
> 
> (I have redacted the login that was actually a password.)
> 
> It may be better to not log it at all, or maybe only log it when it matches
> an actual login name.
> 
Isn't that true pretty much whichever way you log in (ssh, login, ...),
not just xdm?

Cheers,
Julien
Reply to: