[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Password leaks are security holes

2008/8/28 Giacomo A. Catenazzi <cate@debian.org>:
> Johan Walles wrote:
>> Security shouldn't be based on nobody ever doing more or less common
>> mistakes.
> auth.log was invented for this reason, and separated to standard log:
> it should be readable only by root, because users do errors.

It's readable by anybody with physical access to the hardware.

Hard disks get stolen all the time [1], and on publicly accessible
machines it's often possible to boot in runlevel 1 or from something
other than the hard disk and access any files you like.  That's why
the passwords in /etc/shadow are all hashed, rather than just being

> Anyway root already has the capability to view passwords
> (i.e. by installing alternate login programs, sniffing tty, ...)

That doesn't mean Debian should *help* root doing that in a default
install.  Security by default, anybody?

> So auth.log should log usernames, so that users don't do
> wrong assumption that password are not accessible by root!

I can see a point in logging *valid* usernames.  Logging invalid
usernames (which aren't unlikely to actually be passwords) is a
security risk.

  Cheers //Johan

[1] - http://www.finfacts.ie/irishfinancenews/article_1014326.shtml

Reply to: