Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 19 Sep 2005 08:10:22 +0400
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com
Subject: Re: Patch to include the username in all syslog messages

On Sat, Sep 17, 2005 at 12:34:25PM -0500, Mr Duck wrote:
> Solar Designer wrote:
> >Unfortunately, a side-effect is that you will also get some
> >plaintext passwords logged since some users are dumb enough to
> >enter their password in place of username.  This was one of two
> >reasons for
> 
>   It is unfortunate that someone would do this, but not enough of a
> reason to cause any significant influence, IMHO.   Plus, a simple
> password scan could check the unknown username against the password
> list, and look for matches.  That would at least provide an
> opportunity to do some adjustment so that their plain password was
> not fully displayed... not really worth it IMHO, but if someone
> was concerned over this...

Such a password scan would be taking tens of seconds on a properly
configured system (with purposefully expensive password hashing) with
more than just a handful of accounts.  It would not catch (and hide)
mistyped passwords.  And it has its own security issues (timing leaks,
etc.) and implementation difficulties.  Overall, it's definitely not a
reasonable thing to do.

> >not logging unknown usernames.  The other reason is that unknown
> >usernames may contain any "garbage" characters, including terminal
> >controls, making it unsafe to browse logs on some systems (where syslogd
> >does not filter or escape potential terminal controls) unless special
> >precautions are taken (e.g., "less -U" is OK, "more" or plain "grep ..."
> >with output to the terminal are not).
> 
>   An easy fix.  Before any logging is done with an unknown username,
> parse it for "garbage" characters, and replace them with something
> non-garbage...

Yes.  I liked not having to do that, though.

>   Of anything that I think popa3d should contain, this patch is *the*
> one.  It's not fun to track logs when you can't tell which line is
> for what user.

For known usernames, you can - by matching PIDs.  For unknown ones, you
similarly know which line is for what connecting IP address.

Yes, I understand that having usernames on each line makes things
easier, although it makes lines longer and logs bigger.

>   Each full session is given a unique instance ID.  This ID is logged 
> with every log item.  This way, the password/garbage char concerns
> would be addressed, and log-watchers like myself and Fredrik will have
> something easy to link log entries.

This is not very different from syslogd's logging of PIDs, except that
session IDs can be made longer and actually unique (unlike PIDs, which
are re-used eventually).  Right now, log analysis scripts have to limit
their searches to a certain distance (e.g., 1000 lines) to not be
confused by re-used PIDs.

>   Bear in mind, this is my opinion and nothing more.  I'm not the
> one who wrote and is supporting the pop server. (=   but, I am a user
> of the server and as such, feel that my opinion counts for something,
> if only a voice.
> (=

Your voice is heard.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ