Bugtraq mailing list archives
Re: cleartext passwords get into log files
From: Damien Miller <djm () mindrot org>
Date: Tue, 7 Feb 2006 09:47:24 +1100 (EST)
On Fri, 3 Feb 2006, innate () gmx de wrote:
the cleartext password came into the log file because someone has been out of concentration and entered the password instead of the username in some client for connecting to a ssh server.
Seeing what accounts people are trying to log into is also important. I'm sure that most administrators would be interested in seeing, for example, login attempts on a deleted ex-staff member's account.
another problem might be cause by showing the illegal username for the login and even if this is caused by another lame written software the problem is real (remind human unperfection): the username could contain characters that might be interpreted wrong from other software. example from log file (caused by sshd again): Feb 2 10:20:28 hostname sshd[7419]: Failed keyboard-interactive/pam for invalid user d'a<d>;(m)l from ... just note the characters: <> XXS, html injeciton? ';() SQL injection? '; shell commands?
OpenSSH tries to be idiot proof against stupid syslogds by stripping control characters from log strings, but you can always invent a bigger (hypothetical) idiot. If your log processing software is so fundamentally broken that it passes unmodified data to shells, SQL servers or HTML then nothing is going save you - you will need to ensure that every piece of software that logs can never be cajoled into writing something that could be misinterpreted.
prevention: illegal users dont need to be shown in the log files. most servers only print a "UNKNOWN USER" in their log file and in my opinion this makes a lot of sense.
This destroys useful information and lessens the evidentary value of the log file. A better prevention: chmod 0600 /var/log/authlog (assuming it isn't already). -d
Current thread:
- cleartext passwords get into log files innate (Feb 04)
- Re: cleartext passwords get into log files Ben Wheeler (Feb 06)
- Re: cleartext passwords get into log files Damien Miller (Feb 06)