[cvsnt] Re: 2.5.01.1998: User password in CLEAR(public) form in "secure" log on Linux
Tony Hoyle
tmh at nodomain.org
Wed Jun 22 12:08:50 BST 2005
Andrew Gaganov wrote:
> It's not true. Shadow file contains only password hashes, and cracking
> passwords is
> normally complex task.
No it isn't - a simple dictionary search across a password file will
catch 90% of the passwords in most organisations in a couple of minutes.
Kerberos fixes this by having the entire database encrypted by a
master password (which is long and unguessable).
Basically if someone has root you have *far* worse problems than the
security of your auth.log file.
>
>>cvshome cvs does exactly the same thing, btw. and always has
>>done as far
>>as I can tell (at least as far back as 2001 from searching).
>
> Yes, but it happens on CLIENT side (not SERVER), on client computer.
>
It's server side only. The client is not involved in that code.
This is not new at all... it's been in every CVS as far back as I can find.
It's not that it can't change (I probably will change it), but that it's
really not that big a deal, given that the file its logged to contains
all sorts of sensitive information - even logging userenames has
similar considerations (typing password as username.. more common that
you'd expect).
Tony
More information about the cvsnt
mailing list