Thayne Harbaugh <[EMAIL PROTECTED]> writes:
> "Niels M�ller" wrote:
> >
> > Thayne Harbaugh <[EMAIL PROTECTED]> writes:
> >
> > > lshd does not appear to log who uses it to log in nor does
> > > it seem to show anyone logged in using the w or who command.
> >
> > There is some code to do this in server_session.c, written by Ray. It
> > is currently commented out, because I don't quite understand how these
> > things are supposed to work.
> >
> > lshd ought to log a message when a user is authenticated successfully.
>
> Yes. I'm eagerly awaiting this feature. I'd also like to
> see users logins when "who" or "w" is used. Thanks - hope
> it's figured out soon.
Adding log messages on login should be easy, just another werror call
at the right place. Even if the syslog feature is suboptimal, using
the same level for all mesasges. This could be fixed, but it is a
little more work.
Updating the who-database is a little more tricky. Pointers to
documentation on how to do this properly and portably are appreciated.
Using PAM is probably not an option.
> For unix systems I mean any username that is mapped to UID 0 -
> not just the username root (things like rewt, admin, foo or
> whatever if they map to UID 0 should be controllable).
The natural way is to test the uid, not the name.
> Yes - I think this should be the default with a way to override
> it if someone really wants to login directly as root.
Noted.
> > As for zero-length passwords, I'm not so sure. Do you mean
> > password-les accounts (empty passwd field in /etc/passwd or
> > /etc/shadow), or accounts with the empty string as password?
> >
> > In the former case, I think lshd should already deny access. Is this
> > reasonable? In the latter case, that might well be a problem, but I
> > don't think lshd is the right tool to address it.
>
> I really mean both accounts with no password and accounts with
> the empty string. Neither or these practices are secure and
> should be controllable. Which tools do you think are appropriate
> for this?
If the passwd file contains some encrypted password where the
corresponding unencrypted passwords are weak, you should catch it with
something like crack, or similar tests done at the time the password
is changed. In my view, the empty string is just a special case of a
weak password.
(One could add some feature to lsh to automatically run crack on all
accounts, and output a "permission denied" whenever anyone tries to
log in to an account with a weak password. ;-) No, I think that's a
bad idea).
/Niels
