Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uflorida!mephisto!ncsuvx!mcnc!rti!xyzzy!meissner From: meissner@dg-rtp.dg.com (Michael Meissner) Newsgroups: comp.unix.wizards Subject: Re: What should the password/security/userinfo/login system include? Message-ID: Date: 12 Dec 89 13:57:02 GMT References: <4180@sbcs.sunysb.edu> <1989Dec7.172233.10130@chinet.chi.il.us> <1236@ispi.UUCP> <4217@sbcs.sunysb.edu> Sender: usenet@xyzzy.UUCP Distribution: usa Organization: Data General (Languages @ Research Triangle Park, NC.) Lines: 34 In-reply-to: brnstnd@stealth.acf.nyu.edu's message of 11 Dec 89 19:32:50 GMT In article <4217@sbcs.sunysb.edu> brnstnd@stealth.acf.nyu.edu (Dan Bernstein) writes: | In article <1236@ispi.UUCP> jbayer@ispi.UUCP (Jonathan Bayer) writes: | > les@chinet.chi.il.us (Leslie Mikesell) writes: | > >I want logging of *all* keystrokes during a failing attempt at logging | > >in (more to allow me to help with the problem, but it would also | > >help detect intruders). | | My login program does this; it even records the times between keystrokes. | It runs in raw mode at the moment, though I'm considering switching back | to cbreak. (Why does this imply that login and getty/telnetd need to be | combined?) | | > This is not a good idea. If someone unauthorized sees this log file | > they would have a fairly good idea of some of the passwords on the | > system. | | All password characters (except backspace and newline) are replaced by x. | The information loss does not outweigh the security gain. This seems to come up time and time again. The problem with logfiles (including /dev/console) and passwords is that often times users type passwords at the login prompt. Thus if user 'foo' has a password 'bar456', and types the password at the wrong time, a message will be sent to the logfile stating that unknown user 'bar456' tried to log on. The safest thing I've heard is to only write the username in question if you are sure it's a valid username (or possibly a name a cracker would try, such as guest). -- -- Michael Meissner, Data General. Until 12/15: meissner@dg-rtp.DG.COM After 12/15: meissner@osf.org