Re: Fwd: Password leaks are security holes
Nico Golde un jour écrivit:
* Johan Walles <firstname.lastname@example.org> [2008-08-28 13:14]:
2008/8/28 Giacomo A. Catenazzi <email@example.com>:
So auth.log should log usernames, so that users don't do
wrong assumption that password are not accessible by root!
I can see a point in logging *valid* usernames. Logging invalid
usernames (which aren't unlikely to actually be passwords) is a
How would you determine valid and invalid ones? A user name
that is considered valid could still be a password.
If that is the case, then It is most likely a very bad password that
someone could guess anyway, so that is a non-issue (except for the fact
that the password should obviously be changed for a better one).