Hashing of usernames in syslog

Erik Klavon erik at eriq.org
Sun Sep 29 18:43:16 UTC 2002


On Sat, Sep 28, 2002 at 04:38:31PM -0700, Russ Allbery wrote:
> First, I don't understand why the usernames would be logged at all.  Are
> you trying to track something that requires you to log the username?  I
> can't picture any need there that would still be satisfied easily by an
> obfuscated version of the username in the local logs, so if you don't want
> usernames logged, why do it?

It is not essential to log usernames, but it is convient when
troubleshooting to be able to associate log entries by username with a
particular user who has complained of trouble. A one way hash makes it
easy given an individual username to grep all entries for that
username from the log without having to store the usernames in plain
text. It's not always possible to depend on hostnames and ip addresses for
identification in this case since these connections will be comming
from external networks.

> You can map all valid users to the same
> identity in either readers.conf or in your authentication program.

I'm not sure how to achieve this and still authenticate users with the
new perl hooks. I assume that you are referring here to the default:
parameter. My understanding from the code is that if I include a
default: parameter in the auth group, then if that auth group is
reached it will match the client. No authentication will take place
since the identity of the client is known. As for setting the identity
in the authentication program, I'm not sure how to do this. Let me
know what I'm missing here, this will solve my problem!

> Second, presumably the news logs are private; why is it an issue that
> student IDs appear in them?  Presumably you'd want to treat them the same
> as, say, your SMTP logs, which similarly contain account names.  Only make
> data public in aggregate, if then, and ensure that only authorized users
> have access to the logs.

I agree; we'll definitely keep the logs private. When thinking about
the security of the server, this issue came up when assessing the
vulnerability of the principles and passphrases in the event the server
is ever rooted. (Yes, this might be a little bit beyond reasonable
fear, but it stems from the issue of operating a proxy server not
under the control of the group which runs the authentication
service. The oversight committee has been kind enough to allow us to
go forward with a pilot test and I don't want them to feel
uncomfortable about the security of the system when we ask for
permission to put the service into production.)

Erik

-- 
erik         | "It is idle to think that, by means of words, | Maurice
  kl at von     | any real communication can ever pass | Maeterlinck
    eriq.org | from one [human] to another." | Silence





More information about the inn-workers mailing list