[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fwd: Password leaks are security holes

Hi Johan,
* Johan Walles <johan.walles@gmail.com> [2008-08-28 13:14]:
> 2008/8/28 Giacomo A. Catenazzi <cate@debian.org>:
> > So auth.log should log usernames, so that users don't do
> > wrong assumption that password are not accessible by root!
> I can see a point in logging *valid* usernames.  Logging invalid
> usernames (which aren't unlikely to actually be passwords) is a
> security risk.

How would you determine valid and invalid ones? A user name 
that is considered valid could still be a password.

Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpEamvub2Vny.pgp
Description: PGP signature

Reply to: