You are here: Home » Reply

Reply To: Failed Authentications

#9231

mas
Participant

Uhm, just compiled the Version svn-1549. But I am afraid this logging you put in isnt gonna help a lot.

What it does when I do a correct login is it writes into both syslog and mt-daapd.log:

Apr 22 22:12:39 schnecke mt-daapd[32203]: Checking NULL/NULL for admin
Apr 22 22:12:39 schnecke mt-daapd[32203]: Checking /[pw] for admin

So each CORRECT password authentication goes with the cleartext password into the log files.

And if I do a wrong password login it looks like, you guess:
Apr 22 22:08:37 schnecke mt-daapd[32126]: Checking /[wrongpw] for admin
Apr 22 22:08:37 schnecke mt-daapd[32128]: Checking NULL/NULL for admin

Nothing to discriminate this from a correct login. Plus I believe logging the PASSWORDS in cleartext is no good practice.

It should log the IP-address there, NOT the passwords attempted. Also it would be preferably not to log correct logins into syslog – blows up the syslog a lot. Only faulty ones with a message indicating this was a wrong login attempt. Plus the ideal place to log these wrong loging on my debian slug would be auth.log even.

But the cleartext correct logins going into the log files is IMHO even dangerous, even though the log shouldnt be world readable. Pls change that to log the IP not the passwords.