[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Security problem in pam_unix?


    This morning when I logged in with my password instead of my
username, the thought crossed by addled mind that we once had a security
problem with an FTP daemon in Ultrix 3.1 that logged failed
authorization with the failing user name.

    Surely that lesson has been learned by now, I thought, as I checked
the syslog log.

    Actually, it hasn't.   My password was logged twice like this:

Dec  5 08:49:39 ilex PAM_unix[23569]: check pass; user unknown
Dec  5 08:49:39 ilex PAM_unix[23569]: authentication failure; (uid=0) ->
PASSWD for system-auth service
Dec  5 08:49:39 ilex gdm[23569]: Couldn't authenticate PASSWD

My password isn't "PASSWD" -- it's something else, but I'm not going to
tell you what.   What's worse is that these three lines were followed by

Dec  5 08:49:51 ilex PAM_unix[23569]: (system-auth) session opened for
user jch by (uid=0)

so not only does the local system admin now my password, but he (well,
ok, it's me, but...) knows which user the password belongs to.  Said
local admin can now try that against my "HP Digital Badge" to see what
juicy information he can find, ditto personel records, NT account, etc

In general, of course, we *never* save passwords in the clear unless we
absolutely must, but this definitely takes the biscuit.  Are there any
other PAM modules that log the failed user name like this?


tel;fax:+44 1344 763686
tel;work:+44 1344 763711
org:OpenMail R&D
adr:;;Hewlett Packard<br>Nine Mile Ride;Wokingham;Berks;RG40 3LL;United Kingdom
note;quoted-printable:<em>OpenMail for All!</em>&nbsp=3B<img src=3D"http://www.openmail.com/cyc/om/00/graphics/omlinux.jpg"; width=3D53 height=3D62 align=3Dbottom>
fn:John Haxby

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []