Re: Self compiling and login failure messages
Wolfgang Mettbach writes: > > I downloaded the latest source code to get rid of the security bugs hanging > around in older versions. After compiling I noticed messages about login > failures in the syslog file. This wouldn't be bad if the used password wasn't > written there unencrypted. If someone just mistypes one single character of > his/her password it would be very easy to crack the real password. > > How do I get rid of these messages? Do I have to modify the source code or is > there an option that can be used when compiling that I haven't found yet? Fix your syslog configuration. CVS syslogs actual passwords using the "authpriv" facility (if your syslog doesn't support that facility, CVS doesn't log the actual passwords). The authpriv facility is defined as authorization messages (like login failures) containing sensitive information, so they should be logged to a file readable only by root (or other trusted individuals); they should *NOT* be logged to the normal syslog file. You need to add a line something like: authpriv.* /var/log/secure near the top of your /etc/syslog.conf (where /var/log/secure has appropriate permissions). Heaven only know what other kinds of sensitive information you're publishing in your syslog. -Larry Jones I think grown-ups just ACT like they know what they're doing. -- Calvin ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
Self compiling and login failure messages
Hello, I downloaded the latest source code to get rid of the security bugs hanging around in older versions. After compiling I noticed messages about login failures in the syslog file. This wouldn't be bad if the used password wasn't written there unencrypted. If someone just mistypes one single character of his/her password it would be very easy to crack the real password. How do I get rid of these messages? Do I have to modify the source code or is there an option that can be used when compiling that I haven't found yet? (PS: I know that a pserver is not a very secure thing to use, but we have our reasons why we must use it.) Thanks in advance for any help. Regards, -- Wolfgang MettbachPhone: +49 (0)5251 50081-22 ynes GmbHFax: +49 (0)5251 50081-19 Paderborn (Germany) http://www.ynes.de ___ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
