Nico Golde un jour écrivit:
Hi Johan, * Johan Walles <johan.walles@gmail.com> [2008-08-28 13:14]:[...]2008/8/28 Giacomo A. Catenazzi <cate@debian.org>:So auth.log should log usernames, so that users don't do wrong assumption that password are not accessible by root!I can see a point in logging *valid* usernames. Logging invalid usernames (which aren't unlikely to actually be passwords) is a security risk.How would you determine valid and invalid ones? A user name that is considered valid could still be a password.
If that is the case, then It is most likely a very bad password that someone could guess anyway, so that is a non-issue (except for the fact that the password should obviously be changed for a better one).
Simon Valiquette