Subject: Re: Re: lib/30923
To: Martin Husemann <firstname.lastname@example.org>
From: Bill Studenmund <email@example.com>
Date: 08/26/2005 10:23:03
Content-Type: text/plain; charset=us-ascii
On Fri, Aug 26, 2005 at 12:15:44AM +0200, Martin Husemann wrote:
> On Thu, Aug 25, 2005 at 11:00:54AM +0200, Zafer Aydogan wrote:
> > Rui, you don't seem to get it. A Message is printed by syslog on the
> > console. The Message that should be removed is on the remote end.
> > That is a security issue!
> Apparently it is not clear to everyone that the traditional behaviour
> suddenly is wrong from a security POV (or noone uses telnetd any
> more nor runs insecure ttys).
While I agree with what I understand the change is (make the wrong=20
password and right-password-wrong-terminal messages the same), I agree=20
it's a change w.r.t. past behavior.
> A PR is not the right place to discuss this - maybe bring this up on
> tech-security and if consensus is reached, someone might apply the=20
> rumored patch (the PR has no patch, as of a few minutes ago).
I think such a discussion would be good. I think we should make this=20
change, but getting some attention paid to it in a security-focused=20
setting will be good too.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
-----END PGP SIGNATURE-----