Hi Nico!
Let's keep debian-security in the discussion to see what others have
to say about this.
Technically I agree with you when you say that people shouldn't enter
anything but their usernames at the login prompt, but the fact is that
people (like me and the bug submitter for example) *do*
Johan Walles wrote:
Hi Nico!
Let's keep debian-security in the discussion to see what others have
to say about this.
Technically I agree with you when you say that people shouldn't enter
anything but their usernames at the login prompt, but the fact is that
people (like me and the bug
Hi Johan,
* Johan Walles [EMAIL PROTECTED] [2008-08-28 11:46]:
Let's keep debian-security in the discussion to see what others have
to say about this.
Technically I agree with you when you say that people shouldn't enter
anything but their usernames at the login prompt, but the fact is that
2008/8/28 Giacomo A. Catenazzi [EMAIL PROTECTED]:
Johan Walles wrote:
Security shouldn't be based on nobody ever doing more or less common
mistakes.
auth.log was invented for this reason, and separated to standard log:
it should be readable only by root, because users do errors.
It's
Hi Johan,
* Johan Walles [EMAIL PROTECTED] [2008-08-28 13:14]:
2008/8/28 Giacomo A. Catenazzi [EMAIL PROTECTED]:
[...]
So auth.log should log usernames, so that users don't do
wrong assumption that password are not accessible by root!
I can see a point in logging *valid* usernames.
On Thu, Aug 28, 2008 at 01:05:19PM +0200, Johan Walles wrote:
2008/8/28 Giacomo A. Catenazzi [EMAIL PROTECTED]:
auth.log was invented for this reason, and separated to standard log:
it should be readable only by root, because users do errors.
It's readable by anybody with physical access
Mark Brown wrote:
On Thu, Aug 28, 2008 at 01:05:19PM +0200, Johan Walles wrote:
2008/8/28 Giacomo A. Catenazzi [EMAIL PROTECTED]:
auth.log was invented for this reason, and separated to standard log:
it should be readable only by root, because users do errors.
It's readable by anybody
On 2008-08-28 13:05, Johan Walles wrote:
It's readable by anybody with physical access to the hardware.
If their have physical access to the hardware, auth.log would be
my least worry.
That doesn't mean Debian should *help* root doing that in a default
install. Security by default, anybody?
Excuse me, but this is very simple thing, this is not big philosophical
problem.
The software has ability to log login+password for troubleshooting, which
is great (users ALWAYS claim that they are writting their password
correctly, so this is nice to have). Since it's not enabled by default,
On Thu, Aug 28, 2008 at 08:37:07PM +0200, ,,, wrote:
Excuse me, but this is very simple thing, this is not big philosophical
problem.
The software has ability to log login+password for troubleshooting, which
is great (users ALWAYS claim that they are writting their password
correctly, so
On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote:
auth.log was invented for this reason, and separated to standard log:
it should be readable only by root,
Then there is a bug in another package if this is what should be, because
/var/log/auth.log is readable by group adm on
Nico Golde un jour écrivit:
Hi Johan,
* Johan Walles [EMAIL PROTECTED] [2008-08-28 13:14]:
2008/8/28 Giacomo A. Catenazzi [EMAIL PROTECTED]:
[...]
So auth.log should log usernames, so that users don't do
wrong assumption that password are not accessible by root!
I can see a point in logging
On Thu, Aug 28, 2008 at 02:37:37PM -0700, Steve Langasek wrote:
On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote:
auth.log was invented for this reason, and separated to standard log:
it should be readable only by root,
Then there is a bug in another package if this is
On Thu, Aug 28, 2008 at 02:37:37PM -0700, Steve Langasek wrote:
On Thu, Aug 28, 2008 at 09:36:41AM +0200, Giacomo A. Catenazzi wrote:
auth.log was invented for this reason, and separated to standard log:
it should be readable only by root,
Then there is a bug in another package if this is
14 matches
Mail list logo