Hashing of usernames in syslog

Thu Oct 3 16:00:42 UTC 2002

Erik Klavon <erik at eriq.org> writes:

> It is not essential to log usernames, but it is convient when
> troubleshooting to be able to associate log entries by username with a
> particular user who has complained of trouble.

Yeah, agreed.

> A one way hash makes it easy given an individual username to grep all
> entries for that username from the log without having to store the
> usernames in plain text. It's not always possible to depend on hostnames
> and ip addresses for identification in this case since these connections
> will be comming from external networks.

Hm, yes, good point.

> I'm not sure how to achieve this and still authenticate users with the
> new perl hooks.

Oh, right, you're using the Perl hooks.  Yes, before the patch you just
posted, there wasn't a good way to do this with the Perl hooks.  (It's
much easier to do using the external authenticators.)

> I agree; we'll definitely keep the logs private. When thinking about the
> security of the server, this issue came up when assessing the
> vulnerability of the principles and passphrases in the event the server
> is ever rooted.

I must say, I still don't understand how hashing the usernames will help
with this.  Regardless of what you do, if the server is rooted, any user
who logs on to the server while the attacker has root is exposing their
Kerberos password.  But those are the only vulnerable users; since the
server doesn't retain password information, an attacker can only
compromise users who are using the server while it's rooted.

Hashing or not hashing the usernames doesn't change this; the obvious way
for the attacker to capture the usernames and passwords is to modify or
replace your authentication code, which bypasses all of that.

Hashing the usernames only makes sense to me if usernames are considered
secret information; usually this isn't the case, although I don't know the
details of your situation.

> (Yes, this might be a little bit beyond reasonable fear, but it stems
> from the issue of operating a proxy server not under the control of the
> group which runs the authentication service. The oversight committee has
> been kind enough to allow us to go forward with a pilot test and I don't
> want them to feel uncomfortable about the security of the system when we
> ask for permission to put the service into production.)

Yeah, this makes sense.

I have the advantage of also being the person who runs the Kerberos
authentication servers.  :)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.