Date: Mon, 6 Aug 2001 18:50:01 -0700 (PDT) From: Mike Heffner <mheffner@novacoxmail.com> To: freebsd-bugs@FreeBSD.org Subject: RE: bin/29487: ftpd leaks password typed as username by mistake Message-ID: <200108070150.f771o1h35954@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR bin/29487; it has been noted by GNATS. From: Mike Heffner <mheffner@novacoxmail.com> To: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp> Cc: FreeBSD-gnats-submit@freebsd.org Subject: RE: bin/29487: ftpd leaks password typed as username by mistake Date: Mon, 06 Aug 2001 21:38:28 -0400 (EDT) This message is in MIME format --_=XFMail.1.5.0.FreeBSD:20010806213828:313=_ Content-Type: text/plain; charset=us-ascii On 06-Aug-2001 Yoshihiro Koya wrote: | | It might quite often to type the password instead of username | to ftp clients by mistake. | In that case, ftpd(8) on FreeBSD logges the usenames into | /var/log/messages as follows But this information is sometimes relevant if you would like to be able to tell the difference between an attacker probing several different accounts and a normal user mistyping their username. | | Aug 6 22:19:28 presario ftpd[814]: FTP LOGIN FAILED FROM localhost, mypass | | On the other hand, evey user on the system can access /var/log/messages. | It might cause security related problems. A better way might be to log the username info to a different facility, auth, authpriv or something that's not logged to a world readable file. Mike -- Mike Heffner <mheffner@[acm.]vt.edu> Fredericksburg, VA <mikeh@FreeBSD.org> --_=XFMail.1.5.0.FreeBSD:20010806213828:313=_ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7b0aUFokZQs3sv5kRAvS+AKCFhrmFF/Y+jFxyiGmYAC11C42U+ACfbZy9 8pSMvryZGjCD35OBP11OWwU= =heQY -----END PGP SIGNATURE----- --_=XFMail.1.5.0.FreeBSD:20010806213828:313=_-- End of MIME message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108070150.f771o1h35954>