Hi Johan, * Johan Walles <firstname.lastname@example.org> [2008-08-28 11:46]: > Let's keep debian-security in the discussion to see what others have > to say about this. > > Technically I agree with you when you say that people shouldn't enter > anything but their usernames at the login prompt, but the fact is that > people (like me and the bug submitter for example) *do* enter their > passwords there from time to time. People make mistakes, and this is > not an uncommon one. Maybe this is the case but that's why this file is only readable for root and the adm group. So if an attacker is able to read this file you have way more problems as he wouldn't need to check the auth log for user errors but could just trace the login process, crack shadow, write a custom pam module or something similar to get your login credentials. > Security shouldn't be based on nobody ever doing more or less common mistakes. See above. Cheers Nico -- Nico Golde - http://www.ngolde.de - email@example.com - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Description: PGP signature