When a user attempts to log in to a remote repository via pserver with the wrong password, CVS writes a message to the LOG_AUTHPRIV syslog() facility containing the incorrect password. As a bonus, if you're running release 1.11.6 or later, I believe it also includes the correct password - we're not there yet, but that's the way the src/server.c looks to me.
I know a proper syslogd setup will send LOG_AUTHPRIV messages to someplace secure (e.g. /var/log/secure on Red Hat Linux), but it still seems wrong to include either password in the message. Doubly wrong if you're using system passwords to secure CVS. Can we please consider suppressing the passwords, at least optionally? -- Ross A. Patterson Chief Technology Officer CatchFIRE Systems, Inc. 5885 Trinity Parkway, Suite 220 Centreville, VA 20120 (703) 563-4164 _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
