[2835] in bugtraq
Re: Write-only devices (Was read only devices)
daemon@ATHENA.MIT.EDU (Robert Banz)
Fri Jun 28 14:14:00 1996
Date: Fri, 28 Jun 1996 11:42:59 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Robert Banz <banz@nolimit110.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.SOL.3.93.960627174033.25099B-100000@clark.net>
On Thu, 27 Jun 1996 aleipold@clark.net wrote:
> > I think you should log more than just valid usernames. In logging code
> > I wrote once I logged all usernames that had one of the following
> > characteristics:
> > - existing user
> > - only alpha numeric characters, starting with an alpha
> >
> > While that may still log passwords, it only logs weak passwords.
>
>
> Take it a step further. In messing around with sources to deamons
> I figured the best way to do this would be: (note, don't do this on system
> with lots of accounts). I knew that a computer (586) can do about 1200
> crypts per second. So then I:
>
> while (accountsleft)
> oops=crypt(words,salt[a-z]);
> if oops=rightpassword then don't syslogit
> otherwise:
> syslog("oops...");
Wouldn't work if you're using a system with either 13000 users or using
some other method of authentication for logins (such as kerberos). Hense,
it's a really good idea(tm) for your syslog to be readable only by root,
or a certain 'special' group of people. (also good to let your users
know that they should read before they type, but you know how much
good that does)
