Wolfgang Mettbach writes: > > I downloaded the latest source code to get rid of the security bugs hanging > around in older versions. After compiling I noticed messages about login > failures in the syslog file. This wouldn't be bad if the used password wasn't > written there unencrypted. If someone just mistypes one single character of > his/her password it would be very easy to crack the real password. > > How do I get rid of these messages? Do I have to modify the source code or is > there an option that can be used when compiling that I haven't found yet?
Fix your syslog configuration. CVS syslogs actual passwords using the "authpriv" facility (if your syslog doesn't support that facility, CVS doesn't log the actual passwords). The authpriv facility is defined as authorization messages (like login failures) containing sensitive information, so they should be logged to a file readable only by root (or other trusted individuals); they should *NOT* be logged to the normal syslog file. You need to add a line something like: authpriv.* /var/log/secure near the top of your /etc/syslog.conf (where /var/log/secure has appropriate permissions). Heaven only know what other kinds of sensitive information you're publishing in your syslog. -Larry Jones I think grown-ups just ACT like they know what they're doing. -- Calvin _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs