headers
Fredrik Björk | 15 Sep 12:37

Patch to include the username in all syslog messages

Hi!

This may well be in some other contrib patch, but since I couldn't find a 
link to the contrib directory, here it is. It is a patch that adds the 
username (or mailbox, which should be the same most of the time) to all 
syslog messages that popa3d writes. It is very useful for detecting users 
that misspell usernames, or use incorrect case when typing the username.

Example:

Sep 15 12:22:14 mail01 popa3d[22645]: Authentication failed for UNKNOWN 
USER Vjen
Sep 15 12:22:14 mail01 popa3d[22659]: Authentication passed for sea0593a
Sep 15 12:22:14 mail01 popa3d[22659]: 25 messages (1585238 bytes) loaded 
for se0593a
Sep 15 12:22:14 mail01 popa3d[22659]: 0 (0) deleted, 25 (1585238) left for 
se0593a
Sep 15 12:25:17 mail01 popa3d[24468]: Authentication passed for se1161d
Sep 15 12:25:17 mail01 popa3d[24468]: 1 message (12918 bytes) loaded for 
se1161d
Sep 15 12:25:18 mail01 popa3d[24468]: 1 (12918) deleted, 0 (0) left for se1161d

popa3d unpatched would have given the following:

Sep 15 12:22:14 mail01 popa3d[22645]: Authentication failed for UNKNOWN USER
Sep 15 12:22:14 mail01 popa3d[22659]: Authentication passed for sea0593a
Sep 15 12:22:14 mail01 popa3d[22659]: 25 messages (1585238 bytes) loaded
Sep 15 12:22:14 mail01 popa3d[22659]: 0 (0) deleted, 25 (1585238) left
Sep 15 12:25:17 mail01 popa3d[24468]: Authentication passed
Sep 15 12:25:17 mail01 popa3d[24468]: 1 message (12918 bytes) loaded
(Continue reading)

Permalink | Reply |
headers
Solar Designer | 17 Sep 12:53

Re: Patch to include the username in all syslog messages

Hi Fredrik,

First of all, thank you for sharing the patch with popa3d-users!

On Thu, Sep 15, 2005 at 12:39:33PM +0200, Fredrik Bj?rk wrote:
> This may well be in some other contrib patch, but since I couldn't find a 
> link to the contrib directory, here it is.

All non-historical contributed patches available in the contrib
directory are linked from popa3d homepage at:

	http://www.openwall.com/popa3d/

The entire directory is available on the FTP site (and on its mirrors):

	ftp://ftp.openwall.com/pub/projects/popa3d/contrib/

> It is a patch that adds the 
> username (or mailbox, which should be the same most of the time) to all 
> syslog messages that popa3d writes. It is very useful for detecting users 
> that misspell usernames, or use incorrect case when typing the username.
[...]
> It is quite obvious that the patch helps our support staff quite a bit!

Yes.  Unfortunately, a side-effect is that you will also get some
plaintext passwords logged since some users are dumb enough to enter
their password in place of username.  This was one of two reasons for
not logging unknown usernames.  The other reason is that unknown
usernames may contain any "garbage" characters, including terminal
controls, making it unsafe to browse logs on some systems (where syslogd
(Continue reading)

Permalink | Reply |
headers
Mr Duck | 17 Sep 19:34

Re: Patch to include the username in all syslog messages

Solar Designer wrote:
>>  Fredrik wrote:
>>  It is a patch that adds the username (or mailbox, which should
>>  be the same most of the time) to all syslog messages that popa3d
>>  writes. It is very useful for detecting users that misspell
>>  usernames, or use incorrect case when typing the username.

> Yes.  Unfortunately, a side-effect is that you will also get some
> plaintext passwords logged since some users are dumb enough to
> enter their password in place of username.  This was one of two
> reasons for

   It is unfortunate that someone would do this, but not enough of a
reason to cause any significant influence, IMHO.   Plus, a simple
password scan could check the unknown username against the password
list, and look for matches.  That would at least provide an
opportunity to do some adjustment so that their plain password was
not fully displayed... not really worth it IMHO, but if someone
was concerned over this...

> not logging unknown usernames.  The other reason is that unknown
> usernames may contain any "garbage" characters, including terminal
> controls, making it unsafe to browse logs on some systems (where syslogd
> does not filter or escape potential terminal controls) unless special
> precautions are taken (e.g., "less -U" is OK, "more" or plain "grep ..."
> with output to the terminal are not).

   An easy fix.  Before any logging is done with an unknown username,
parse it for "garbage" characters, and replace them with something
non-garbage...
(Continue reading)

Permalink | Reply |
headers
Solar Designer | 19 Sep 06:10

Re: Patch to include the username in all syslog messages

On Sat, Sep 17, 2005 at 12:34:25PM -0500, Mr Duck wrote:
> Solar Designer wrote:
> >Unfortunately, a side-effect is that you will also get some
> >plaintext passwords logged since some users are dumb enough to
> >enter their password in place of username.  This was one of two
> >reasons for
> 
>   It is unfortunate that someone would do this, but not enough of a
> reason to cause any significant influence, IMHO.   Plus, a simple
> password scan could check the unknown username against the password
> list, and look for matches.  That would at least provide an
> opportunity to do some adjustment so that their plain password was
> not fully displayed... not really worth it IMHO, but if someone
> was concerned over this...

Such a password scan would be taking tens of seconds on a properly
configured system (with purposefully expensive password hashing) with
more than just a handful of accounts.  It would not catch (and hide)
mistyped passwords.  And it has its own security issues (timing leaks,
etc.) and implementation difficulties.  Overall, it's definitely not a
reasonable thing to do.

> >not logging unknown usernames.  The other reason is that unknown
> >usernames may contain any "garbage" characters, including terminal
> >controls, making it unsafe to browse logs on some systems (where syslogd
> >does not filter or escape potential terminal controls) unless special
> >precautions are taken (e.g., "less -U" is OK, "more" or plain "grep ..."
> >with output to the terminal are not).
> 
>   An easy fix.  Before any logging is done with an unknown username,
(Continue reading)

Permalink | Reply |

Gmane