Path: utzoo!attcan!ram From: ram@attcan.UUCP (Richard Meesters) Newsgroups: comp.unix.wizards Subject: Re: What should the password/security/userinfo/login system include? Summary: Password Logging... Message-ID: <10650@attcan.UUCP> Date: 12 Dec 89 20:23:32 GMT References: <4180@sbcs.sunysb.edu> <1989Dec7.172233.10130@chinet.chi.il.us> <398@bilver.UUCP> Distribution: usa Organization: AT&T Canada Inc., Toronto Lines: 41 In article <398@bilver.UUCP>, bill@bilver.UUCP (Bill Vermillion) writes: > In article <1989Dec9.053433.5407@chinet.chi.il.us> les@chinet.chi.il.us (Leslie Mikesell) writes: > >In article <1236@ispi.UUCP> jbayer@ispi.UUCP (Jonathan Bayer) writes: > > > >>>I want logging of *all* keystrokes during a failing attempt at logging > >>>in. > > > >>This is not a good idea. If someone unauthorized sees this log file > >>they would have a fairly good idea of some of the passwords on the > >>system. > > > >If they are written to a file that can only be read by root, why > >should I worry about that? If someone can already get root permissions > >why would they want to know any other passwords? > Simply put, if you have root permission, you are in as root, and are traceable as such. You don't have access to the machine from a remote terminal unless you already have a users login. If you wanted to be an unobtrusive hack you could simply figure out from the log file what the user's password was, then keep using it for as long as the user keeps (or is allowed to keep) that password. No one would be the wiser. Personally I like the fact that even the superuser doesn't -know- my password. True, he can change it to no password, or even any password he wants, but unless he can decript the file, he couldn't possibly use *my* password. It adds a feeling of security on the user's side. > >... In that vein, I'd personally like to strangle the person who > >in invented automatic password aging. > Password aging is optional (at least on System V) and, while I don't like it any better than you, if the system administrator deems it necessary to keep proper security on his machines, then I have no choice but to go along with it. Lets face it, it is more secure than everyone using the same password over and over on a number of systems ad infinitum. Regards, Richard Meesters