HelloAll,
This morning when I logged in with my password instead of my
username, the thought crossed by addled mind that we once had a security
problem with an FTP daemon in Ultrix 3.1 that logged failed
authorization with the failing user name.
Surely that lesson has been learned by now, I thought, as I checked
the syslog log.
Actually, it hasn't. My password was logged twice like this:
Dec 5 08:49:39 ilex PAM_unix[23569]: check pass; user unknown
Dec 5 08:49:39 ilex PAM_unix[23569]: authentication failure; (uid=0) ->
PASSWD for system-auth service
Dec 5 08:49:39 ilex gdm[23569]: Couldn't authenticate PASSWD
My password isn't "PASSWD" -- it's something else, but I'm not going to
tell you what. What's worse is that these three lines were followed by
Dec 5 08:49:51 ilex PAM_unix[23569]: (system-auth) session opened for
user jch by (uid=0)
so not only does the local system admin now my password, but he (well,
ok, it's me, but...) knows which user the password belongs to. Said
local admin can now try that against my "HP Digital Badge" to see what
juicy information he can find, ditto personel records, NT account, etc
etc.
In general, of course, we *never* save passwords in the clear unless we
absolutely must, but this definitely takes the biscuit. Are there any
other PAM modules that log the failed user name like this?
jch
begin:vcard
n:Haxby;John
tel;fax:+44 1344 763686
tel;work:+44 1344 763711
x-mozilla-html:FALSE
url:https://ecardfile.com/id/jch
org:OpenMail R&D
adr:;;Hewlett Packard<br>Nine Mile Ride;Wokingham;Berks;RG40 3LL;United Kingdom
version:2.1
email;internet:jch@pwd.hp.com
note;quoted-printable:<em>OpenMail for All!</em> =3B<img src=3D"http://www.openmail.com/cyc/om/00/graphics/omlinux.jpg"; width=3D53 height=3D62 align=3Dbottom>
x-mozilla-cpt:;25408
fn:John Haxby
end:vcard
![http://www.openmail.com/cyc/om/00/graphics/omlinux.jpg"](http://www.openmail.com/cyc/om/00/graphics/omlinux.jpg"){kind=link}