--/Uq4LBwYP4y1W6pO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Aug 26, 2005 at 12:15:44AM +0200, Martin Husemann wrote:
> On Thu, Aug 25, 2005 at 11:00:54AM +0200, Zafer Aydogan wrote:
> > Rui, you don't seem to get it. A Message is printed by syslog on the
> > console. The Message that should be removed is on the remote end.
> > That is a security issue!
>=20
> Apparently it is not clear to everyone that the traditional behaviour
> suddenly is wrong from a security POV (or noone uses telnetd any
> more nor runs insecure ttys).

While I agree with what I understand the change is (make the wrong=20
password and right-password-wrong-terminal messages the same), I agree=20
it's a change w.r.t. past behavior.

> A PR is not the right place to discuss this - maybe bring this up on
> tech-security and if consensus is reached, someone might apply the=20
> rumored patch (the PR has no patch, as of a few minutes ago).

I think such a discussion would be good. I think we should make this=20
change, but getting some attention paid to it in a security-focused=20
setting will be good too.

Take care,

Bill

--/Uq4LBwYP4y1W6pO
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFDD0/3Wz+3JHUci9cRAs97AKCTTV6g6FOcTFNamjpgMtX4JaaKtQCdFqwG
pBOdnnhUhECtivSEBKYqtaQ=
=5NsE
-----END PGP SIGNATURE-----

--/Uq4LBwYP4y1W6pO--