Bug#869773: xdm logs failed logins that may be sensitive
Le decadi 10 thermidor, an CCXXV, Julien Cristau a écrit : > Isn't that true pretty much whichever way you log in (ssh, login, ...), > not just xdm? Probably. I just noticed it and verified it on xdm. If other login prompts have the same issue, a common solution may be better. Note that with ssh, there is no login prompt, normally. Regards, -- Nicolas George signature.asc Description: Digital signature
Bug#869773: xdm logs failed logins that may be sensitive
On Fri, Jul 28, 2017 at 21:06:47 +0200, Sven Joachim wrote: > The unknown username should not be in the log, login(1) replaces names > of non-existent users with "UNKNOWN" when logging failed attempts. > How about this then (not even build tested): diff --git a/greeter/greet.c b/greeter/greet.c index 9b5cef4..ba4b3da 100644 --- a/greeter/greet.c +++ b/greeter/greet.c @@ -405,6 +405,9 @@ static void FailedLogin (struct display *d, const char *username) { #ifdef USE_SYSLOG +if (!getpwnam(username)) + username = "unknown user"; + if (username == NULL) username = "username unavailable"; Cheers, Julien
Bug#869773: xdm logs failed logins that may be sensitive
On 2017-07-28 20:49 +0200, Julien Cristau wrote: > On Wed, Jul 26, 2017 at 11:51:10 +0200, Nicolas George wrote: > >> Package: xdm >> Version: 1:1.1.11-3 >> Severity: normal >> >> Dear Maintainer, >> >> When somebody tries to log in and fails, xdm writes the given user name in >> the system logs. Unfortunately, typing the password in the login field is a >> common mistake. When that happens, xdm logs it too. That leaves the >> password of an user in clear in the system logs. It is not very >> important, but still a little security concern since normally passwords >> are stored permanently on the system only in hashed form. >> >> The corresponding log line looks like this: >> >> Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXX >> >> (I have redacted the login that was actually a password.) >> >> It may be better to not log it at all, or maybe only log it when it matches >> an actual login name. >> > Isn't that true pretty much whichever way you log in (ssh, login, ...), > not just xdm? The unknown username should not be in the log, login(1) replaces names of non-existent users with "UNKNOWN" when logging failed attempts. Cheers, Sven
Bug#869773: xdm logs failed logins that may be sensitive
On Wed, Jul 26, 2017 at 11:51:10 +0200, Nicolas George wrote: > Package: xdm > Version: 1:1.1.11-3 > Severity: normal > > Dear Maintainer, > > When somebody tries to log in and fails, xdm writes the given user name in > the system logs. Unfortunately, typing the password in the login field is a > common mistake. When that happens, xdm logs it too. That leaves the > password of an user in clear in the system logs. It is not very > important, but still a little security concern since normally passwords > are stored permanently on the system only in hashed form. > > The corresponding log line looks like this: > > Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXX > > (I have redacted the login that was actually a password.) > > It may be better to not log it at all, or maybe only log it when it matches > an actual login name. > Isn't that true pretty much whichever way you log in (ssh, login, ...), not just xdm? Cheers, Julien
Bug#869773: xdm logs failed logins that may be sensitive
At 2017-07-26T11:51:10+0200, Nicolas George wrote: > Package: xdm > Version: 1:1.1.11-3 > Severity: normal > > Dear Maintainer, > > When somebody tries to log in and fails, xdm writes the given user name in > the system logs. Unfortunately, typing the password in the login field is a > common mistake. When that happens, xdm logs it too. That leaves the > password of an user in clear in the system logs. It is not very > important, but still a little security concern since normally passwords > are stored permanently on the system only in hashed form. > > The corresponding log line looks like this: > > Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXX > > (I have redacted the login that was actually a password.) > > It may be better to not log it at all, or maybe only log it when it matches > an actual login name. Hmm, yes, that's bad. Here's a quick-and-dirty, untested patch. I didn't even compile-test it because I can't get stock xdm to build on my Debian Stretch system. The xdm codebase is choked with bad style (unused results, discarded qualifiers) that causes the compile to bomb long before it gets to greet.c. "Somebody should do something about that," he said, peering around a corner into a mirror. Regards, Branden --- xdm-1.1.11/greeter/greet.c.orig 2017-07-28 14:20:44.649055209 -0400 +++ xdm-1.1.11/greeter/greet.c 2017-07-28 14:21:09.812798680 -0400 @@ -405,12 +405,9 @@ FailedLogin (struct display *d, const char *username) { #ifdef USE_SYSLOG -if (username == NULL) - username = "username unavailable"; - syslog(LOG_AUTHPRIV|LOG_NOTICE, - "LOGIN FAILURE ON %s, %s", - d->name, username); + "LOGIN FAILURE ON %s", + d->name); #endif DrawFail (login); } signature.asc Description: PGP signature
Bug#869773: xdm logs failed logins that may be sensitive
Package: xdm Version: 1:1.1.11-3 Severity: normal Dear Maintainer, When somebody tries to log in and fails, xdm writes the given user name in the system logs. Unfortunately, typing the password in the login field is a common mistake. When that happens, xdm logs it too. That leaves the password of an user in clear in the system logs. It is not very important, but still a little security concern since normally passwords are stored permanently on the system only in hashed form. The corresponding log line looks like this: Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXX (I have redacted the login that was actually a password.) It may be better to not log it at all, or maybe only log it when it matches an actual login name. Regards, -- Nicolas George -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages xdm depends on: ii cpp4:6.3.0-4 ii debconf [debconf-2.0] 1.5.61 ii libc6 2.24-11+deb9u1 ii libpam0g 1.1.8-3.6 ii libselinux12.6-3+b1 ii libx11-6 2:1.6.4-3 ii libxau61:1.0.8-1 ii libxaw72:1.0.13-1+b2 ii libxdmcp6 1:1.1.2-3 ii libxext6 2:1.3.3-1+b2 ii libxft22.3.2-1+b2 ii libxinerama1 2:1.1.3-1+b3 ii libxmu62:1.1.2-2 ii libxpm41:3.5.12-1 ii libxrender11:0.9.10-1 ii libxt6 1:1.1.5-1 ii lsb-base 9.20161125 ii procps 2:3.3.12-3 ii x11-utils 7.7+3+b1 ii x11-xserver-utils 7.7+7+b1 xdm recommends no packages. xdm suggests no packages. -- debconf information: xdm/daemon_name: /usr/bin/xdm * shared/default-x-display-manager: xdm xdm/stop_running_server_with_children: false signature.asc Description: Digital signature