Bug#869773: xdm logs failed logins that may be sensitive

2017-07-28 Thread Nicolas George 
Le decadi 10 thermidor, an CCXXV, Julien Cristau a écrit :
> Isn't that true pretty much whichever way you log in (ssh, login, ...),
> not just xdm?

Probably. I just noticed it and verified it on xdm. If other login
prompts have the same issue, a common solution may be better.

Note that with ssh, there is no login prompt, normally.

Regards,

-- 
  Nicolas George


signature.asc
Description: Digital signature

Bug#869773: xdm logs failed logins that may be sensitive

2017-07-28 Thread Julien Cristau 
On Fri, Jul 28, 2017 at 21:06:47 +0200, Sven Joachim wrote:

> The unknown username should not be in the log, login(1) replaces names
> of non-existent users with "UNKNOWN" when logging failed attempts.
> 
How about this then (not even build tested):

diff --git a/greeter/greet.c b/greeter/greet.c
index 9b5cef4..ba4b3da 100644
--- a/greeter/greet.c
+++ b/greeter/greet.c
@@ -405,6 +405,9 @@ static void
 FailedLogin (struct display *d, const char *username)
 {
 #ifdef USE_SYSLOG
+if (!getpwnam(username))
+   username = "unknown user";
+
 if (username == NULL)
username = "username unavailable";
 

Cheers,
Julien

Bug#869773: xdm logs failed logins that may be sensitive

2017-07-28 Thread Sven Joachim 
On 2017-07-28 20:49 +0200, Julien Cristau wrote:

> On Wed, Jul 26, 2017 at 11:51:10 +0200, Nicolas George wrote:
>
>> Package: xdm
>> Version: 1:1.1.11-3
>> Severity: normal
>> 
>> Dear Maintainer,
>> 
>> When somebody tries to log in and fails, xdm writes the given user name in
>> the system logs. Unfortunately, typing the password in the login field is a
>> common mistake. When that happens, xdm logs it too. That leaves the
>> password of an user in clear in the system logs. It is not very
>> important, but still a little security concern since normally passwords
>> are stored permanently on the system only in hashed form.
>> 
>> The corresponding log line looks like this:
>> 
>> Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXX
>> 
>> (I have redacted the login that was actually a password.)
>> 
>> It may be better to not log it at all, or maybe only log it when it matches
>> an actual login name.
>> 
> Isn't that true pretty much whichever way you log in (ssh, login, ...),
> not just xdm?

The unknown username should not be in the log, login(1) replaces names
of non-existent users with "UNKNOWN" when logging failed attempts.

Cheers,
   Sven

Bug#869773: xdm logs failed logins that may be sensitive

2017-07-28 Thread Julien Cristau 
On Wed, Jul 26, 2017 at 11:51:10 +0200, Nicolas George wrote:

> Package: xdm
> Version: 1:1.1.11-3
> Severity: normal
> 
> Dear Maintainer,
> 
> When somebody tries to log in and fails, xdm writes the given user name in
> the system logs. Unfortunately, typing the password in the login field is a
> common mistake. When that happens, xdm logs it too. That leaves the
> password of an user in clear in the system logs. It is not very
> important, but still a little security concern since normally passwords
> are stored permanently on the system only in hashed form.
> 
> The corresponding log line looks like this:
> 
> Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXX
> 
> (I have redacted the login that was actually a password.)
> 
> It may be better to not log it at all, or maybe only log it when it matches
> an actual login name.
> 
Isn't that true pretty much whichever way you log in (ssh, login, ...),
not just xdm?

Cheers,
Julien

Bug#869773: xdm logs failed logins that may be sensitive

2017-07-28 Thread G. Branden Robinson 
At 2017-07-26T11:51:10+0200, Nicolas George wrote:
> Package: xdm
> Version: 1:1.1.11-3
> Severity: normal
> 
> Dear Maintainer,
> 
> When somebody tries to log in and fails, xdm writes the given user name in
> the system logs. Unfortunately, typing the password in the login field is a
> common mistake. When that happens, xdm logs it too. That leaves the
> password of an user in clear in the system logs. It is not very
> important, but still a little security concern since normally passwords
> are stored permanently on the system only in hashed form.
> 
> The corresponding log line looks like this:
> 
> Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXX
> 
> (I have redacted the login that was actually a password.)
> 
> It may be better to not log it at all, or maybe only log it when it matches
> an actual login name.

Hmm, yes, that's bad.

Here's a quick-and-dirty, untested patch.  I didn't even compile-test it
because I can't get stock xdm to build on my Debian Stretch system.  The
xdm codebase is choked with bad style (unused results, discarded
qualifiers) that causes the compile to bomb long before it gets to
greet.c.

"Somebody should do something about that," he said, peering around a
corner into a mirror.

Regards,
Branden
--- xdm-1.1.11/greeter/greet.c.orig	2017-07-28 14:20:44.649055209 -0400
+++ xdm-1.1.11/greeter/greet.c	2017-07-28 14:21:09.812798680 -0400
@@ -405,12 +405,9 @@
 FailedLogin (struct display *d, const char *username)
 {
 #ifdef USE_SYSLOG
-if (username == NULL)
-	username = "username unavailable";
-
 syslog(LOG_AUTHPRIV|LOG_NOTICE,
-	   "LOGIN FAILURE ON %s, %s",
-	   d->name, username);
+	   "LOGIN FAILURE ON %s",
+	   d->name);
 #endif
 DrawFail (login);
 }


signature.asc
Description: PGP signature

Bug#869773: xdm logs failed logins that may be sensitive

2017-07-26 Thread Nicolas George 
Package: xdm
Version: 1:1.1.11-3
Severity: normal

Dear Maintainer,

When somebody tries to log in and fails, xdm writes the given user name in
the system logs. Unfortunately, typing the password in the login field is a
common mistake. When that happens, xdm logs it too. That leaves the
password of an user in clear in the system logs. It is not very
important, but still a little security concern since normally passwords
are stored permanently on the system only in hashed form.

The corresponding log line looks like this:

Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXX

(I have redacted the login that was actually a password.)

It may be better to not log it at all, or maybe only log it when it matches
an actual login name.

Regards,

-- 
  Nicolas George


-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages xdm depends on:
ii  cpp4:6.3.0-4
ii  debconf [debconf-2.0]  1.5.61
ii  libc6  2.24-11+deb9u1
ii  libpam0g   1.1.8-3.6
ii  libselinux12.6-3+b1
ii  libx11-6   2:1.6.4-3
ii  libxau61:1.0.8-1
ii  libxaw72:1.0.13-1+b2
ii  libxdmcp6  1:1.1.2-3
ii  libxext6   2:1.3.3-1+b2
ii  libxft22.3.2-1+b2
ii  libxinerama1   2:1.1.3-1+b3
ii  libxmu62:1.1.2-2
ii  libxpm41:3.5.12-1
ii  libxrender11:0.9.10-1
ii  libxt6 1:1.1.5-1
ii  lsb-base   9.20161125
ii  procps 2:3.3.12-3
ii  x11-utils  7.7+3+b1
ii  x11-xserver-utils  7.7+7+b1

xdm recommends no packages.

xdm suggests no packages.

-- debconf information:
  xdm/daemon_name: /usr/bin/xdm
* shared/default-x-display-manager: xdm
  xdm/stop_running_server_with_children: false


signature.asc
Description: Digital signature