[tpop3d-discuss] New features ?

Paul Makepeace Paul.Makepeace at realprogrammers.com
Mon, 2 Dec 2002 20:11:33 +0000

On Mon, Dec 02, 2002 at 07:46:06PM +0000, Chris Lightfoot wrote:
> On Mon, Dec 02, 2002 at 08:44:08PM +0100, Yann GROSSEL wrote:
> > Well, the wrong password is not logged, only the login. I'd like to have the
> > password too. And I'd prefer to have it logged in a SQL table :)
> I'm afraid I won't put that in the distribution. Too close
> to an invasion of privacy.

I don't have any stake in this but just noting that passwords are
required in plaintext for APOP to work so I'm wondering what the
distinction between having a misspelt password appear in a system log
versus a system database is? IME, and of course this is generalising and
anecdotal, access is generally laxer to DBs than system logs.

I can see a security issue if the log is world readable (Debian's
/var/log/mail.log apparently isn't) but then presumably any admin
turning on password logging like this would be clued up enough to
account for this. A putative ./configure switch could even check for
this dodgy scenario.

I'm curious what Yann sees as the benefit of password loggging is? If
there's a particular diagnostic process or typical problem that could be
readibly identified perhaps there's another solution that could help?
I'm thinking along the lines of NT warning that the CAPSLOCK switch is
on: syslog("Login failed; password all in lowercase - client doing
something weird?")

Idle musingly yours,

Paul Makepeace ....................................... http://paulm.com/

"If men were honest, then grab your coathanger!"
   -- http://paulm.com/toys/surrealism/