[cvsnt] 2.5.01.1998: User password in CLEAR(public) form in"secure" log on Linux
David Somers
dsomers at trevezel.com
Wed Jun 22 11:21:52 BST 2005
> From: cvsnt-bounces at cvsnt.org [mailto:cvsnt-bounces at cvsnt.org]On Behalf
> Of Andrew Gaganov
[snip]
> Today, I discovered that cvsnt writes users passwords to linux secure log,
> if login fails.
> For example (password filled '*'):
> --------------
> Jun 22 12:39:39 cvs cvsnt: login failure by vbaranov / ******* (for
> /home/cvs/root)
> Jun 22 12:43:35 cvs cvsnt: login failure by vbaranov / **** (for
> /home/cvs/root)
> --------------
That's strange... in my syslog it just says something like:
Jun 22 12:16:27 caslon cvs[16938]: login failure (for /omz13)
So there's no sign of even the username, let alone the password... maybe
because I'm using PAM.
Greetings from Luxembourg,
David
More information about the cvsnt
mailing list