Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!sunybcs!sbcs!stealth!brnstnd
From: brnstnd@stealth.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.wizards
Subject: Re: What should the password/security/userinfo/login system include?
Message-ID: <4217@sbcs.sunysb.edu>
Date: 11 Dec 89 19:32:50 GMT
References: <4180@sbcs.sunysb.edu> <1989Dec7.172233.10130@chinet.chi.il.us> <1236@ispi.UUCP>
Sender: news@sbcs.sunysb.edu
Reply-To: brnstnd@stealth.acf.nyu.edu (Dan Bernstein)
Distribution: usa
Organization: IR
Lines: 19

In article <1236@ispi.UUCP> jbayer@ispi.UUCP (Jonathan Bayer) writes:
> les@chinet.chi.il.us (Leslie Mikesell) writes:
> >I want logging of *all* keystrokes during a failing attempt at logging
> >in (more to allow me to help with the problem, but it would also
> >help detect intruders).

My login program does this; it even records the times between keystrokes.
It runs in raw mode at the moment, though I'm considering switching back
to cbreak. (Why does this imply that login and getty/telnetd need to be
combined?)

> This is not a good idea.  If someone unauthorized sees this log file
> they would have a fairly good idea of some of the passwords on the
> system.

All password characters (except backspace and newline) are replaced by x.
The information loss does not outweigh the security gain.

---Dan