diff options
| author | Todd C. Miller <Todd.Miller@sudo.ws> | 2022-01-28 08:52:42 -0700 |
|---|---|---|
| committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2022-01-28 08:52:42 -0700 |
| commit | d877deed1edd31a24e634ed651c9b32253587b73 (patch) | |
| tree | 1863ca2deb25f8e8aa00e488968da2c2bfcf729f /examples | |
| parent | 2c14ad69b00f5bafb63feebdf5931d5392fc219f (diff) | |
| download | sudo-d877deed1edd31a24e634ed651c9b32253587b73.tar.gz | |
Add new log_passwords and passprompt_regex settings.
When logging terminal input, if log_passwords is false and any
of the regular expressions in the passprompt_regex list are found
in the terminal output, terminal input will be replaced with '*'
characters until a newline or carriage return is found in the input
or an output character is received.
Diffstat (limited to 'examples')
| -rw-r--r-- | examples/sudo_logsrvd.conf | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/examples/sudo_logsrvd.conf b/examples/sudo_logsrvd.conf index 32dbd821b..5fd7d3f40 100644 --- a/examples/sudo_logsrvd.conf +++ b/examples/sudo_logsrvd.conf @@ -179,6 +179,10 @@ # specified by iolog_mode. #iolog_mode = 0600 +# If disabled, sudo_logsrvd will attempt to avoid logging plaintext +# password in the terminal input using passprompt_regex. +#log_passwords = true + # The maximum sequence number that will be substituted for the "%{seq}" # escape in the I/O log file. While the value substituted for "%{seq}" # is in base 36, maxseq itself should be expressed in decimal. Values @@ -186,6 +190,12 @@ # number "ZZZZZZ") will be silently truncated to 2176782336. #maxseq = 2176782336 +# One or more POSIX extended regular expressions used to match +# password prompts in the terminal output when log_passwords is +# disabled. Multiple passprompt_regex settings may be specified. +#passprompt_regex = [Pp]assword[: ]* +#passprompt_regex = [Pp]assword for [a-z0-9]+: * + [eventlog] # Where to log accept, reject, exit, and alert events. # Accepted values are syslog, logfile, or none. |