Johan Walles wrote:
Hi Nico! Let's keep debian-security in the discussion to see what others have to say about this. Technically I agree with you when you say that people shouldn't enter anything but their usernames at the login prompt, but the fact is that people (like me and the bug submitter for example) *do* enter their passwords there from time to time. People make mistakes, and this is not an uncommon one. Security shouldn't be based on nobody ever doing more or less common mistakes.
auth.log was invented for this reason, and separated to standard log: it should be readable only by root, because users do errors. Anyway root already has the capability to view passwords (i.e. by installing alternate login programs, sniffing tty, ...) So auth.log should log usernames, so that users don't do wrong assumption that password are not accessible by root! ciao cate