Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
 Back  |  Find  |  Login  |  Help 
icon4.gif   obfuscate password in verbose logging, posted by Mark Bergman on Thu Apr 26 23:57:04 2012 
    icon2.gif   Re: obfuscate password in verbose logging, posted by Mark Bergman on Fri Apr 27 00:29:56 2012 
Message ID: 67253     Entry time: Thu Apr 26 23:57:04 2012     Reply to this: 67254
Icon: Warning  Author: Mark Bergman  Author Email: mark.bergman@uphs.upenn.edu 
Category: Request  OS: Linux  ELOG Version: 2.9.1 
Subject: obfuscate password in verbose logging  
I'm trying to debug an issue with elogd (2.9.1) and was reminded that using the "-v" option exposes
user passwords. This wasn't a huge problem for us in the past, but we're now using kerberos authentication,
meaning that the exposed username/password applies to lots of sensitive systems within our university.


I'd suggest that the "-v" option hide passwords. If they need to be revealed for debugging
purposes, make that a separate (and very well documented) option. Maybe something like:
"--really-include-passwords-as-clear-text-in-log-output". :)
ELOG V3.1.5-fe60aaf