[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: seteuid() in kscreensaver
From:       hpj.lisa () t-online ! de (Hans-Peter Jansen)
Date:       1999-03-10 1:57:02
[Download RAW message or body]

Rik Hemsley wrote:
> 
> > Oh, are here security experts around?
> > Perhaps you know, kcheckpass is writing to the system log, in
> > case of an authentication failure (wrong password).
> > What do you think about not writing to the log, if the
> > password is the empty string. I had admin reports telling
> > me the system logs fill up with such messages originating
> > from users trying to switch off their (or others) "screen
> > saver" by pressing "Return".
> > I don't see a possible exploit out of this - anybody else?
> 
> Finally a thread I understand - all this coding guff is massacring my grey
> cells ;)
> 
> I have certainly never heard of anyone trying to break things by entering a
> blank password. It just wouldn't work anyway.
> 
> I would say that I consider a login attempt that didn't supply a password to
> not actually be a login event. I think some systems ignore this anyway as on
> certain terminals you naturally press enter a couple of times when you sit
> down to make sure it's listening to you.
> 
> So: It's not a failed login, it's not counted as a login at all IMO.

As long as this login does not succeed (as no password is a possible password,
too). Or do you want to log only the failed login attempts?

Take care
Hans-Peter
 
> Cheers,
> Rik

[prev in list] [next in list] [prev in thread] [next in thread]