Nico Golde un jour écrivit:
Hi Johan,
* Johan Walles <[EMAIL PROTECTED]> [2008-08-28 13:14]:
2008/8/28 Giacomo A. Catenazzi <[EMAIL PROTECTED]>:
[...]
So auth.log should log usernames, so that users don't do
wrong assumption that password are not accessible by root!
I can see a point in logging *valid* usernames. Logging invalid
usernames (which aren't unlikely to actually be passwords) is a
security risk.
How would you determine valid and invalid ones? A user name
that is considered valid could still be a password.
If that is the case, then It is most likely a very bad password that
someone could guess anyway, so that is a non-issue (except for the fact
that the password should obviously be changed for a better one).
Simon Valiquette
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
