[cvsnt] Re: 2.5.01.1998: User password in CLEAR(public) form in "secure" log on Linux

Tony Hoyle tmh at nodomain.org
Wed Jun 22 10:40:00 BST 2005


Andrew Gaganov wrote:

> I didn't find option to disable it.
> It would be better not to show passwords in clear form, even if login fails.
> 
It's in the secure log (LOG_AUTHPRIV) which only root can access - the 
purpose of this log is to log information that ordinary users cannot 
see.  Since it's the wrong password anyway, and root can already read 
/etc/shadow and crack the correct password (or simply change an existing 
password), it's not any information that isn't already available.

cvshome cvs does exactly the same thing, btw. and always has done as far 
as I can tell (at least as far back as 2001 from searching).

You can always disable it in the code if it bothers you that much.

Tony



More information about the cvsnt mailing list