Re: Fwd: Password leaks are security holes
2008/8/28 Giacomo A. Catenazzi <cate@debian.org>:
> Johan Walles wrote:
>> Security shouldn't be based on nobody ever doing more or less common
>> mistakes.
>
> auth.log was invented for this reason, and separated to standard log:
> it should be readable only by root, because users do errors.
It's readable by anybody with physical access to the hardware.
Hard disks get stolen all the time [1], and on publicly accessible
machines it's often possible to boot in runlevel 1 or from something
other than the hard disk and access any files you like. That's why
the passwords in /etc/shadow are all hashed, rather than just being
chmodded.
> Anyway root already has the capability to view passwords
> (i.e. by installing alternate login programs, sniffing tty, ...)
That doesn't mean Debian should *help* root doing that in a default
install. Security by default, anybody?
> So auth.log should log usernames, so that users don't do
> wrong assumption that password are not accessible by root!
I can see a point in logging *valid* usernames. Logging invalid
usernames (which aren't unlikely to actually be passwords) is a
security risk.
Cheers //Johan
[1] - http://www.finfacts.ie/irishfinancenews/article_1014326.shtml
Reply to: