IMHO Hakki has a very valid concern but it is two-fold.
The first part, some lastb components being accessible by 'normal' users is surely a bad setup.
The second part, that the attempted usernames show up in clear print to root users worries and had always bothered me.
For now I offer no solution, just a point to ponder.
Just like Hakki describes I have mistakenly entered my otherwise well-protected and well-chose, but shared amongst more system, password against the username prompt, instead of the password prompt. Clearly this is a user error. But it happens! Agreed?
While a system manager is implicitly trusted on the system being managed, this trust IMHO does NOT extent to other systems.
Whenever this happens to me, I'm very annoyed, and feel obliged to change my password. It would be nice to know that there was an option to NOT have the attempted username stored in clear print (only if it is a valid passwd entry?)
Admittedly this would reduce the ability for a system manager to assist users who repeatedly fat-finger or are mistaken about the username to use, but that's a price I would be willing to pay to be able to say that I can not have possibly seen a users passwords, that the system does not record potential passwords, even when fat-fingerd.
Like I said... just a thought!
Hein.
