On Fri, 3 Feb 2006, innate@xxxxxx wrote: > the cleartext password came into the log file because someone > has been out of concentration and entered the password instead of > the username in some client for connecting to a ssh server. Seeing what accounts people are trying to log into is also important. I'm sure that most administrators would be interested in seeing, for example, login attempts on a deleted ex-staff member's account. > another problem might be cause by showing the illegal username for > the login and even if this is caused by another lame written software > the problem is real (remind human unperfection): > > the username could contain characters that might be interpreted wrong > from other software. example from log file (caused by sshd again): > > Feb 2 10:20:28 hostname sshd[7419]: Failed keyboard-interactive/pam for invalid user d'a<d>;(m)l from ... > > just note the characters: > <> XXS, html injeciton? > ';() SQL injection? > '; shell commands? OpenSSH tries to be idiot proof against stupid syslogds by stripping control characters from log strings, but you can always invent a bigger (hypothetical) idiot. If your log processing software is so fundamentally broken that it passes unmodified data to shells, SQL servers or HTML then nothing is going save you - you will need to ensure that every piece of software that logs can never be cajoled into writing something that could be misinterpreted. > prevention: > illegal users dont need to be shown in the log files. most servers > only print a "UNKNOWN USER" in their log file and in my opinion this > makes a lot of sense. This destroys useful information and lessens the evidentary value of the log file. A better prevention: chmod 0600 /var/log/authlog (assuming it isn't already). -d
