Bug#869773: xdm logs failed logins that may be sensitive
On 2017-07-28 20:49 +0200, Julien Cristau wrote:
> On Wed, Jul 26, 2017 at 11:51:10 +0200, Nicolas George wrote:
>
>> Package: xdm
>> Version: 1:1.1.11-3
>> Severity: normal
>>
>> Dear Maintainer,
>>
>> When somebody tries to log in and fails, xdm writes the given user name in
>> the system logs. Unfortunately, typing the password in the login field is a
>> common mistake. When that happens, xdm logs it too. That leaves the
>> password of an user in clear in the system logs. It is not very
>> important, but still a little security concern since normally passwords
>> are stored permanently on the system only in hashed form.
>>
>> The corresponding log line looks like this:
>>
>> Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXXXXXXXXXX
>>
>> (I have redacted the login that was actually a password.)
>>
>> It may be better to not log it at all, or maybe only log it when it matches
>> an actual login name.
>>
> Isn't that true pretty much whichever way you log in (ssh, login, ...),
> not just xdm?
The unknown username should not be in the log, login(1) replaces names
of non-existent users with "UNKNOWN" when logging failed attempts.
Cheers,
Sven
Reply to: