Re: Problems with wuftpd - password logging(?)

[jfh () rpp386 cactus org (John F. Haugh II)]

> On Thu, 16 Mar 1995, DaVe McComb wrote:
>
> > I seem to have a major problem with wuftpd version wu-2.4, in that if a 
> > specific sequence of steps is taken, the user's password is logged to 
> > /var/adm/messages, wtmp, and to the screen.  This is happening under 
>
> This also happens to me.  I've just stepped up the amount of logging that 
> occurs with our main Unix box, which is an RS/6000 running AIX 3.2.5.  
>
> The ftpd is the standard one that IBM provide.  If ftpd is invoked with a 
> -d option, and syslog logs daemon activity of debug and above, then, when 
> a normal user ftp's to the machine, it logs their password!  Not good.  
>
> I wanna keep track of the ftp activity of my users, but I don't want to
> see their passwords in the log file.  On AIX this is not *SO* much of a
> problem as the log file is sat in /var/spool/mqueue which is mode 770 for
> root.system, but it still concerns me.  Don't know what anyone else 
> thinks about this.
>
> Anyone know a way around this except from turning the log level back to
> "info" only? 
>
> -----[ syslog extract ]-------
> Mar 31 14:33:09 server0 ftpd[26843]: connect from client2
> Mar 31 14:33:09 server0 ftpd[26843]: <--- 220 
> Mar 31 14:33:09 server0 ftpd[26843]: server0 FTP server (Version 4.9 Thu 
> Sep 2 20:35:07 CDT 1993) ready.
> Mar 31 14:33:40 server0 ftpd[26843]: command: USER xyz1^M 
> Mar 31 14:33:40 server0 ftpd[26843]: <--- 331 
> Mar 31 14:33:40 server0 ftpd[26843]: Password required for xyz1.
> Mar 31 14:33:49 server0 ftpd[26843]: command: PASS momsname^M 
> Mar 31 14:33:49 server0 ftpd[26843]: <--- 230 
> Mar 31 14:33:49 server0 ftpd[26843]: User xyz1 logged in.
> -----[ end of extract ]-------

Whenever I get to the office (or get my phone line to be available ...)
I'm going to open an internal defect report against this problem.  I've
not heard of this problem before, and given that I hear about all AIX
security problems (as long as they are called something like a security
problem ...), it would seem that somebody reported the problem to bugtraq
before bothering to report it to the vendor.  Not cool -- no fair
complaining vendors are unresponsive if you don't give them first crack.

However, given the way the data is presented, my guess is that you
can't get around this problem.  My inclination is to believe that you've
gotten what you asked for -- every command and response exactly as it
is received by the server.  If that's the case, a change in documentation
is all that is really required.  In either case, I will speak with the
component owner and release manager and see about doing something to ftpd.
No promises, tho.

In the mean time, try to keep in mind what "debug" means.  Try also to
remember that debugging is very useful in many instances any only setable
by root anyway.
-- 
John F. Haugh II  [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ]   @'s: jfh () rpp386 cactus org