Subject: Re: increasing UT_HOSTSIZE for IPv6?
To: Gandhi woulda smacked you <email@example.com>
From: Bill Sommerfeld <firstname.lastname@example.org>
Date: 07/26/1999 12:31:31
> utmp: I hope you're prepared to make 'who', 'finger' and 'w' sort their
> output :-) [db files are not stored in any meaningful order].
yep, that's a reasonable implementation detail. (actually, "who",
etc. could walk through the ttys file to get the ordering..)
> wtmp: Why text? That makes it that much easier for a newbie cracker wannabe
> to hack accounting records.
Because most other log files with variable-size records use text file
Besides, someone could always cook up a utmp-mode for emacs..
if you're really concerned about tampering by an intruder, marking the
file as append-only and/or using some sort of cryptographic
tamper-evident seals on the file seems like a better solution..
> This would be a boon, actually. Would you show who the intruder was
> attempting to impersonate?
Not quite sure what you're talking about here..
This would be a per-user record indicating failed attempts to log in
as that user, so that login could print (for instance):
"3 failed login attempts since last successful login"
"last failed attempt from www.xxx.yy.zzz using ftp"
Conceivably, unauthenticated rlogin could indicate the user name
claimed by the remote system, and kerberos-authenticated logins could
indicate the remote principal name. i'm not familiar enough with how
ssh does authorized_keys stuff to know if there's anything profitably