Re: password change logging

To: Greg Troxel <gdt%ir.bbn.com@localhost>
Subject: Re: password change logging
From: David Holland <dholland-security%netbsd.org@localhost>
Date: Sat, 27 Feb 2010 23:38:28 +0000

On Fri, Feb 26, 2010 at 11:47:09AM -0500, Greg Troxel wrote:
 > NetBSD doesn't currently log successful password changes or unsuccessful
 > attempts to change passwords.  Sometimes IT rules require this, and it
 > seems to be of general interest when running a tight ship.  Password
 > changes are rare, so this is hardly log noise compared to every ssh
 > connection and login.
 > 
 > Richard Hansen (also of BBN) wrote the following patch.  I've compiled
 > it on netbsd-5 on several arches and tested on i386.  It applied to
 > current cleanly and built find for amd64.
 > 
 > I'd like to commit this.  Any objections or encouragement?

Sounds like a good idea to me. Just one thing: can you arrange it so
if the entered old password was empty it doesn't bother logging a
failure? People often type things in the wrong window and there's no
need to set off unnecessary alarms for simple instances...

-- 
David A. Holland
dholland%netbsd.org@localhost

References:
- password change logging
  - From: Greg Troxel

Prev by Date: Re: password change logging
Next by Date: Request for feedback on TCP security (IETF effort)
Previous by Thread: Re: password change logging
Next by Thread: Request for feedback on TCP security (IETF effort)
Indexes:

Home | Main Index | Thread Index | Old Index