On Wed, Jul 26, 2017 at 11:51:10 +0200, Nicolas George wrote: > Package: xdm > Version: 1:1.1.11-3 > Severity: normal > > Dear Maintainer, > > When somebody tries to log in and fails, xdm writes the given user name in > the system logs. Unfortunately, typing the password in the login field is a > common mistake. When that happens, xdm logs it too. That leaves the > password of an user in clear in the system logs. It is not very > important, but still a little security concern since normally passwords > are stored permanently on the system only in hashed form. > > The corresponding log line looks like this: > > Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXXXXXXXXXX > > (I have redacted the login that was actually a password.) > > It may be better to not log it at all, or maybe only log it when it matches > an actual login name. > Isn't that true pretty much whichever way you log in (ssh, login, ...), not just xdm?
Cheers, Julien