Hashing of usernames in syslog

Russ Allbery rra at stanford.edu
Sat Sep 28 18:29:13 UTC 2002


Erik Klavon <erik at eriq.org> writes:

> I would like to be able to hash every occurrence of usernames which
> appear in syslog entries made by nnrpd. This feature would be
> configurable in inn.conf and would require SSL. It would use the SHA-1
> cryptographic hash function. I haven't thought this through in detail,
> but here is my initial idea of an approach.

Why not just use MD5?  Then you don't have to require SSL; MD5 comes with
INN already.

> I would implement this by first writing a function that takes as
> argument the username and returns either an encrypted version or its or
> a copy of its argument, depending on the option in inn.conf. A new
> global variable would be used to store the encrypted value. Every syslog
> statement which includes a username would be modified to use this new
> value.

> What does everyone think about this idea/approach? 

I assume the intention is to obfuscate the usernames so that you're not
storing specific user information but can still associate connections?
I'm not sure how generally useful this is, in large part because given all
the information that's logged, it wouldn't be particularly hard to map
things back to a username again if the person ever posts.  Or just check
RADIUS logs or the like to see what the IP address maps to.

It should be pretty straightforward to implement this, but it's not
entirely clear to me whether it's something we'll want to take back in the
main source tree.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list