Re: cleartext passwords get into log files

[Damien Miller <djm () mindrot org>]

On Fri, 3 Feb 2006, innate () gmx de wrote:

> the cleartext password came into the log file because someone 
> has been out of concentration and entered the password instead of
> the username in some client for connecting to a ssh server. 

Seeing what accounts people are trying to log into is also important.
I'm sure that most administrators would be interested in seeing, for
example, login attempts on a deleted ex-staff member's account. 

> another problem might be cause by showing the illegal username for
> the login and even if this is caused by another lame written software
> the problem is real (remind human unperfection):
>
> the username could contain characters that might be interpreted wrong
> from other software. example from log file (caused by sshd again):
>
> Feb  2 10:20:28 hostname sshd[7419]: Failed keyboard-interactive/pam for invalid user d'a<d>;(m)l from ...
>
> just note the characters:
>       <>      XXS, html injeciton?
>       ';()    SQL injection?
>       ';      shell commands?

OpenSSH tries to be idiot proof against stupid syslogds by stripping 
control characters from log strings, but you can always invent a 
bigger (hypothetical) idiot.

If your log processing software is so fundamentally broken that it
passes unmodified data to shells, SQL servers or HTML then nothing is
going save you - you will need to ensure that every piece of software
that logs can never be cajoled into writing something that could be 
misinterpreted.

> prevention:
> illegal users dont need to be shown in the log files. most servers
> only print a "UNKNOWN USER" in their log file and in my opinion this 
> makes a lot of sense.

This destroys useful information and lessens the evidentary value of 
the log file. A better prevention:

chmod 0600 /var/log/authlog

(assuming it isn't already).

-d