Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
> It's in the secure log (LOG_AUTHPRIV) which only root can > access - the > purpose of this log is to log information that ordinary users cannot > see. Since it's the wrong password anyway, and root can already read > /etc/shadow and crack the correct password It's not true. Shadow file contains only password hashes, and cracking passwords is normally complex task. > (or simply change an existing password) Yes, but you don't know the user current password. > , it's not any information that isn't already available. The problem with password logging is that users quite often tries to use passwords from different applications, so administrator of the system can possible see user other (non-CVS) REAL passwords typed by mistake, which is very bad from computer systems security point of view. No one server application log any passwords. > cvshome cvs does exactly the same thing, btw. and always has > done as far > as I can tell (at least as far back as 2001 from searching). Yes, but it happens on CLIENT side (not SERVER), on client computer. > You can always disable it in the code if it bothers you that much. Yes, but not everybody can do this. So it is better to follow good security practices in common version. ------- Andrew Gaganov Phone : +7 (812)324-4898 # 259 E-Mail : agaganov at openwaygroup.com