Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Write-only devices (Was read only devices)

From: banz () nolimit110 com (Robert Banz)
Date: Fri, 28 Jun 1996 11:42:59 -0400

On Thu, 27 Jun 1996 aleipold () clark net wrote:


I think you should log more than just valid usernames.  In logging code
I wrote once I logged all usernames that had one of the following
characteristics:
        - existing user
        - only alpha numeric characters, starting with an alpha

While that may still log passwords, it only logs weak passwords.



        Take it a step further. In messing around with sources to deamons
I figured the best way to do this would be: (note, don't do this on system
with lots of accounts). I knew that a computer (586) can do about 1200
crypts per second. So then I:

while (accountsleft)
oops=crypt(words,salt[a-z]);
if oops=rightpassword then don't syslogit
otherwise:
syslog("oops...");


Wouldn't work if you're using a system with either 13000 users or using
some other method of authentication for logins (such as kerberos).  Hense,
it's a really good idea(tm) for your syslog to be readable only by root,
or a certain 'special' group of people.  (also good to let your users
know that they should read before they type, but you know how much
good that does)
Previous By Date Next
Previous By Thread Next

Current thread: