BugTraq
cleartext passwords get into log files Feb 03 2006 11:53AM
innate gmx de (2 replies)
Re: cleartext passwords get into log files Feb 06 2006 10:47PM
Damien Miller (djm mindrot org)
On Fri, 3 Feb 2006, innate (at) gmx (dot) de [email concealed] wrote:

> the cleartext password came into the log file because someone
> has been out of concentration and entered the password instead of
> the username in some client for connecting to a ssh server.

Seeing what accounts people are trying to log into is also important.
I'm sure that most administrators would be interested in seeing, for
example, login attempts on a deleted ex-staff member's account.

> another problem might be cause by showing the illegal username for
> the login and even if this is caused by another lame written software
> the problem is real (remind human unperfection):
>
> the username could contain characters that might be interpreted wrong
> from other software. example from log file (caused by sshd again):
>
> Feb 2 10:20:28 hostname sshd[7419]: Failed keyboard-interactive/pam for invalid user d'a<d>;(m)l from ...
>
> just note the characters:
> <> XXS, html injeciton?
> ';() SQL injection?
> '; shell commands?

OpenSSH tries to be idiot proof against stupid syslogds by stripping
control characters from log strings, but you can always invent a
bigger (hypothetical) idiot.

If your log processing software is so fundamentally broken that it
passes unmodified data to shells, SQL servers or HTML then nothing is
going save you - you will need to ensure that every piece of software
that logs can never be cajoled into writing something that could be
misinterpreted.

> prevention:
> illegal users dont need to be shown in the log files. most servers
> only print a "UNKNOWN USER" in their log file and in my opinion this
> makes a lot of sense.

This destroys useful information and lessens the evidentary value of
the log file. A better prevention:

chmod 0600 /var/log/authlog

(assuming it isn't already).

-d

[ reply ]
Re: cleartext passwords get into log files Feb 06 2006 11:20AM
Ben Wheeler (b wheeler ulcc ac uk)


 

Privacy Statement
Copyright 2010, SecurityFocus