[cvsnt] Re: 2.5.01.1998: User password in CLEAR(public) form in "secure" log on Linux

Tony Hoyle tmh at nodomain.org
Wed Jun 22 10:40:00 BST 2005


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Andrew Gaganov wrote:

> I didn't find option to disable it.
> It would be better not to show passwords in clear form, even if login fails.
> 
It's in the secure log (LOG_AUTHPRIV) which only root can access - the 
purpose of this log is to log information that ordinary users cannot 
see.  Since it's the wrong password anyway, and root can already read 
/etc/shadow and crack the correct password (or simply change an existing 
password), it's not any information that isn't already available.

cvshome cvs does exactly the same thing, btw. and always has done as far 
as I can tell (at least as far back as 2001 from searching).

You can always disable it in the code if it bothers you that much.

Tony



More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook