Chris's Wiki :: blog/sysadmin/LogAllAuthentication Commentshttps://utcc.utoronto.ca/~cks/space/blog/sysadmin/LogAllAuthentication?atomcommentsDWiki2012-09-09T08:17:32ZRecent comments in Chris's Wiki :: blog/sysadmin/LogAllAuthentication.From 85.0.112.218 on /blog/sysadmin/LogAllAuthenticationtag:CSpace:blog/sysadmin/LogAllAuthentication:1bc17ac392bd5f55ac8dbfcc45c0c1b67c6caca4From 85.0.112.218<div class="wikitext"><p>I think you’ve covered them, esp. with the recent entries expanding on issues you didn’t even hint at here, thanks. At least I can’t think of immediate open questions now. If I do I’ll ask.</p>
<p>—<a href="http://plasmasturm.org/">Aristotle Pagaltzis</a></p>
</div>2012-09-09T08:17:32ZBy Chris Siebenmann on /blog/sysadmin/LogAllAuthenticationtag:CSpace:blog/sysadmin/LogAllAuthentication:841333174259d55a93e1e6f5d9f45eb4f8651bf4Chris Siebenmann<div class="wikitext"><p>Belatedly: I realized (post-facto) that I misread your first comment as
less general than it was and so only answered the question I thought you
were asking instead of the bigger one that you actually were. If there's
still inobvious things, leave another comment and I'll write more (I can
always use more entry seeds).</p>
</div>2012-09-07T19:55:48ZFrom 85.0.112.218 on /blog/sysadmin/LogAllAuthenticationtag:CSpace:blog/sysadmin/LogAllAuthentication:eb146d09e86f1f9ec9ad6196119f5fa931199bb2From 85.0.112.218<div class="wikitext"><p>Thank you. Bookmarked for later reference.</p>
<p>—<a href="http://plasmasturm.org/">Aristotle Pagaltzis</a></p>
</div>2012-08-31T15:06:01ZBy Chris Siebenmann on /blog/sysadmin/LogAllAuthenticationtag:CSpace:blog/sysadmin/LogAllAuthentication:ec10adf14d4d7f467ecd54ba3a817ed9742487f0Chris Siebenmann<div class="wikitext"><p>I think so (at least I can't think of anything else, more or less).
Every authentication point you have is presumably protecting <em>something</em>
or giving non-default access to something, so every such point is a
place where an attacker may look at something interesting and you'll
want to know about it.</p>
<p>(This goes double for authentication points which allow the attacker
to do something active, like sending email. But even knowing what an
attacker looked at or didn't bother with is useful and reassuring.)</p>
</div>2012-08-31T05:27:28ZFrom 85.0.112.218 on /blog/sysadmin/LogAllAuthenticationtag:CSpace:blog/sysadmin/LogAllAuthentication:8bca8a965ce759dedca657f5f9e2800f9803bf6dFrom 85.0.112.218<div class="wikitext"><p>And the reasons why you want login logging everywhere – they are what follows in that paragraph? Or is there more?</p>
<p>—<a href="http://plasmasturm.org/">Aristotle Pagaltzis</a></p>
</div>2012-08-31T01:15:23ZBy Chris Siebenmann on /blog/sysadmin/LogAllAuthenticationtag:CSpace:blog/sysadmin/LogAllAuthentication:207c3c5109ce477d373cb1adab3501c42845c1fcChris Siebenmann<div class="wikitext"><p>I was all set to write an entry about this but then it turned out
that I already had: <a href="https://utcc.utoronto.ca/~cks/space/blog/sysadmin/LoggingUsernamesMistake">LoggingUsernamesMistake</a>.</p>
<p>The short version is that if you log unknown usernames, you will
inevitably sooner or later wind up logging someone's password (in
plain text). They may or may not realize this, and there may or
may not be an immediately following real login that gets logged
so that an attacker who peruses the logs can conveniently work
out who the password belongs to.</p>
</div>2012-08-28T03:20:42ZFrom 85.0.112.218 on /blog/sysadmin/LogAllAuthenticationtag:CSpace:blog/sysadmin/LogAllAuthentication:5c4b47bec8a1fa4a2bd67d3745b347f61c2f5b68From 85.0.112.218<div class="wikitext"><p>I would gratefully welcome an entry that expands on all the obviousness in this one. (I am merely a developer; sysadmin thinking does not come naturally.)</p>
<p>—<a href="http://plasmasturm.org/">Aristotle Pagaltzis</a></p>
</div>2012-08-27T23:27:19Z