What should the password/security/userinfo/login system include?

[Leslie Mikesell]

In article <1989Dec15.182256.5912 at sq.sq.com> lee at sq.com (Liam R. E. Quin) writes:
>les at chinet.chi.il.us (Leslie Mikesell) writes:
[logging failed login attempts]

>This of course poses a considerable security risk.
>Consider the case that you typed "rot" instead of "root" and gave the
>correct root password.  It gets logged, and anyone who can look at the log
>can see the root password.

A).  I'm only interested in the dialup lines.  If someone has trouble
     locally, I'll walk over and help them.  This means that there won't
     be anyone logging in as root.

B).  I would only log completely failing attempts (i.e. the line drops
     before they get in), not every typo.  This doesn't happen often
     unless there is a real problem.
     Anyone who knows what they are doing would change their password
     after this happens on the chance that they were typing into a
     trojan login program anyway.

C).  The logfile would (of course) only be readable by root.  I'd be
     happy to encrypt it, but how do I pass the encryption key to the
     login program?
 
>Your system is now *less* secure, because you have to protect the log file.
>Recent trends such as keeping the encrypted passwords in /etc/shadow where
>only root can see them are an improvement completely defeated if all I have
>to do is read the raw disk to find the root password.

Can you read the raw disk if you don't already have the root password?
If you can do stuff like that, why not just watch the clist buffers and
catch them on the fly?

Our alternative is to keep a monitor terminal available to bridge onto
the modem lines, which is not particularly secure either.  It is also
not very handy, since the calls mostly come in to a single number that
the phone switch rolls over as needed so we don't know ahead of time
where a particular call is going to land.

Les Mikesell
 les at chinet.chi.il.us