On Mon, 11 Dec 2000, John Haxby wrote: > > If you don't trust the local system administrator with your password, you > > shouldn't be giving that password to a piece of software that he has control > > over, *PERIOD*. He doesn't need PAM's help to get at that information. > > Whether PAM logs usernames from failed logins is inconsequential in comparison > > to the problems you face if you believe your system administrator has > > malicious intentions. > I *don't* trust the administrator with my password. It's kept on the other > side of a one-way function for precisely that reason. Passwords are not > kept in clear *PERIOD**. If you don't understand why, think about how often > people have different passwords for different machines or purposes. If you > are still don't see why, then I'll try to explain. FWIW, I've checked the behavior of pam_unix in Linux-PAM 0.72. The default behavior is to NOT log invalid usernames unless the 'audit' flag is turned on. If this server has Linux-PAM 0.72 installed (the most recent version that has shipped with a Linux distribution), and your password was still logged, then you may want to check to see how this untrusted sysadmin has configured the machine's PAM settings. Nevertheless, if you genuinely don't trust the system admin (laying aside for the moment the issue of unauthorized access to tape backups, brought up in your other message), then changing PAM's logging behavior does nothing but give you a false sense of security. I can think of half a dozen ways for the admin to extract the password that you use on that machine, and some of those methods don't even require that you log in to the box. PAM can't compensate for a lack of interpersonal trust; if you need an authentication system that can do that, then you need Kerberos (/true/ Kerberos, not just a pam_krb5 module). Otherwise, you need to make sure that an untrusted admin who gets ahold of your password can't use that password to access other resources that he wouldn't otherwise have access to. That means using different passwords for different machines. Steve Langasek postmodern programmer
