[OpenAFS] Re: Error logging by pam_afs causes password to appear in log files

Charles Karney ckarney@sarnoff.com
Thu, 20 Feb 2003 13:38:29 -0500


 > From: Charles Clancy <security@xauth.net>
 > Date: Thu, 20 Feb 2003 12:20:23 -0600 (CST)
 > 
 > On Thu, 20 Feb 2003, Charles Karney wrote:
 > 
 > > Summary:
 > >
 > >     pam_afs logs the username on failed authentication attempts in
 > >     contexts where the user may accidentally have entered his password.
 > 
 > Most would blame this on the user.

Maybe, but this is a well known way of harvesting passwords.  On a
1000-user system this is likely to yield several a day.

 > > However, I would still claim that the behavior of pam_afs after a
 > > failure without the "nowarn" option should be
 > >
 > > (a) if the AFS user exists, log "bad password for AFS user USER"
 > > (b) if the AFS user does not exist, log "unknown AFS user"
 > 
 > The problem is that pam_afs doesn't know why authentication has failed --
 > be it an invalid username or invalid password.  It can specifically handle
 > the case where the password is blank, but it still it doesn't know that
 > it's because you just typed in your password as a username.

Well, my suggestion stands.  If the username entered matches that of an
AFS user, then report that username.  Otherwise, just report "unknown
user".  (This is for the error message logged to system log file.  The
user himself should get the same error in these two cases.)

Anyway, thanks for your response.  I'm on a single-user system, so these
are really non-issues as far as I'm concerned.  However, they may be
more important for sys admins responsible for computers with lots of
(possible naive) users.

-- 
Charles Karney                  Email:  ckarney@sarnoff.com
Sarnoff Corporation             Phone:  +1 609 734 2312
Princeton, NJ 08543-5300        Fax:    +1 609 734 2323