Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 7 Aug 2001 22:40:02 -0700 (PDT)
From:      Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
To:        freebsd-bugs@FreeBSD.org
Subject:   RE: bin/29487: ftpd leaks password typed as username by mistake
Message-ID:  <200108080540.f785e2S51972@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR bin/29487; it has been noted by GNATS.

From: Yoshihiro Koya <Yoshihiro.Koya@math.yokohama-cu.ac.jp>
To: mheffner@vt.edu, mheffner@novacoxmail.com
Cc: Yoshihiro.Koya@math.yokohama-cu.ac.jp,
	FreeBSD-gnats-submit@freebsd.org
Subject: RE: bin/29487: ftpd leaks password typed as username by mistake
Date: Wed, 08 Aug 2001 14:40:45 +0900

 Hello,
 
 From: Mike Heffner <mheffner@novacoxmail.com>
 Subject: RE: bin/29487: ftpd leaks password typed as username by mistake
 Date: Mon, 06 Aug 2001 21:38:28 -0400 (EDT)
 Message-ID: <XFMail.20010806213828.mheffner@novacoxmail.com>
 
 > On 06-Aug-2001 Yoshihiro Koya wrote:
 > | 
 > | It might quite often to type the password instead of username 
 > | to ftp clients by mistake.
 > | In that case, ftpd(8) on FreeBSD logges the usenames into
 > | /var/log/messages as follows
 > 
 > But this information is sometimes relevant if you would like to be able to tell
 > the difference between an attacker probing several different accounts and a
 > normal user mistyping their username.
 
 Yes. I agree with you. But, I thought at that time that the defect 
 that ftpd may leak the password is more harmful than the defect that
 I'm not able to distinguish the deference between  mistype and attacks.
 
 > | 
 > |       Aug  6 22:19:28 presario ftpd[814]: FTP LOGIN FAILED FROM localhost,
 > mypass 
 > | 
 > | On the other hand, evey user on the system can access /var/log/messages.
 > | It might cause security related problems. 
 > 
 > A better way might be to log the username info to a different facility, auth,
 > authpriv or something that's not logged to a world readable file.
 
 I agree with you again. I think that your suggestion might be a 
 better one. 
 
 koya

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108080540.f785e2S51972>