Steve Langasek wrote: > > FWIW, I've checked the behavior of pam_unix in Linux-PAM 0.72. The default > behavior is to NOT log invalid usernames unless the 'audit' flag is turned on. > If this server has Linux-PAM 0.72 installed (the most recent version that has > shipped with a Linux distribution), and your password was still logged, then > you may want to check to see how this untrusted sysadmin has configured the > machine's PAM settings. > Hmm. That's odd. I'm running RedHat 7.0 and the /etc/pam.d/gdm says ------ #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so ------ which is exactly as it came out of the box. gdm also logs the failing user as well. RH7 purports to come with PAM 0.72 -- I'll check the source RPM to see what's going on. > > Nevertheless, if you genuinely don't trust the system admin (laying aside for > the moment the issue of unauthorized access to tape backups, brought up in > your other message), then changing PAM's logging behavior does nothing but > give you a false sense of security. I can think of half a dozen ways for the > admin to extract the password that you use on that machine, and some of those > methods don't even require that you log in to the box. PAM can't compensate > for a lack of interpersonal trust; if you need an authentication system that > can do that, then you need Kerberos (/true/ Kerberos, not just a pam_krb5 > module). Otherwise, you need to make sure that an untrusted admin who gets > ahold of your password can't use that password to access other resources that > he wouldn't otherwise have access to. That means using different passwords > for different machines. It's not lack of trust of the administrator really, it's a question of how easy is it to get hold of my password. It takes a degree of skill to extract the password, ranging from quite a lot (installing a rogue version of gdm that squirrels away usernames and passwords), through a moderate amount (using something like strace) to next to nothing (grep /var/log/messages). Some percentage of administrators are corrupt, or at least morally reprehensible. Of that group, practically all of them will know how to use grep and will, generally speaking, look in /var/log/messages anyway for anything untoward. A small fraction of the group will have the ability to extract passwords by more sophisticated means and an even smaller group will be good at it. We don't have a good defense against that small group, but we can protect against the unwashed masses (to coin a phrase). It's a question of balancing risk against complexity and usability. You could go for encrypted disks and biometrically locked, tamper-resistant smart cards. That'd provide pretty good security for an isolated system - but at a significant cost, like not being able to send mail messages. My manager doesn't keep really sensitive information on a computer here because he knows that any one of us could, if we wanted to, break in and steal that information. So he keeps the information on a floppy either at home or in a locked drawer (we don't know how to pick locks :-) The traditional Unix authentication is a long way from being secure. Apart from anything else, you only need to know the password and the password doesn't change from day to day. Even if you do force people to change their password, then they change it back to what it was the day before. Or they choose a set of related passwords (like the months of the year, days of the week or whatever). If you generate a random password, they write it down on a Post-It and stick it to their screen. What are we protecting ourselves against though? Well, certainly not against someone who has the talent to steal passwords from the authentication programs and the necessary privileges on the target machine in the first place. I guess we're just providing protection against those with limited talent and matching morals -- hackers apart, those people like you and me that could break into a system in any one of a number of ways simply have no interest in doing so because we know it is wrong. jch (reading "Secrets & Lies" for the second time, it really is that good, honest)
begin:vcard n:Haxby;John tel;fax:+44 1344 763686 tel;work:+44 1344 763711 x-mozilla-html:FALSE url:https://ecardfile.com/id/jch org:OpenMail R&D adr:;;Hewlett Packard<br>Nine Mile Ride;Wokingham;Berks;RG40 3LL;United Kingdom version:2.1 email;internet:jch@pwd.hp.com note;quoted-printable:<em>OpenMail for All!</em> =3B<img src=3D"http://www.openmail.com/cyc/om/00/graphics/omlinux.jpg"; width=3D53 height=3D62 align=3Dbottom> x-mozilla-cpt:;25408 fn:John Haxby end:vcard
![http://www.openmail.com/cyc/om/00/graphics/omlinux.jpg"](http://www.openmail.com/cyc/om/00/graphics/omlinux.jpg"){kind=link}