Hello John, > This morning when I logged in with my password instead of my > username, the thought crossed by addled mind that we once had a security > problem with an FTP daemon in Ultrix 3.1 that logged failed > authorization with the failing user name. > Surely that lesson has been learned by now, I thought, as I checked > the syslog log. > Actually, it hasn't. My password was logged twice like this: > Dec 5 08:49:39 ilex PAM_unix[23569]: check pass; user unknown > Dec 5 08:49:39 ilex PAM_unix[23569]: authentication failure; (uid=0) -> > PASSWD for system-auth service > Dec 5 08:49:39 ilex gdm[23569]: Couldn't authenticate PASSWD > My password isn't "PASSWD" -- it's something else, but I'm not going to > tell you what. What's worse is that these three lines were followed by > Dec 5 08:49:51 ilex PAM_unix[23569]: (system-auth) session opened for > user jch by (uid=0) > so not only does the local system admin now my password, but he (well, > ok, it's me, but...) knows which user the password belongs to. Said > local admin can now try that against my "HP Digital Badge" to see what > juicy information he can find, ditto personel records, NT account, etc > etc. If you don't trust the local system administrator with your password, you shouldn't be giving that password to a piece of software that he has control over, *PERIOD*. He doesn't need PAM's help to get at that information. Whether PAM logs usernames from failed logins is inconsequential in comparison to the problems you face if you believe your system administrator has malicious intentions. If your system log files are configured such that anyone (not just trusted administrators) can read them, then of course this logging is a bad thing. The solution here is to provide an easy mechanism for the system administrator to enable or disable username logging as deemed appropriate, and to arm said administrator with as much information as possible about the consequences. Personally, I don't mind having the usernames logged by default; but I also don't mind having this turned off. Unless someone objects, I don't see any reason not to change the default. Steve Langasek postmodern programmer
