Subject: Re: Re: lib/30923
To: Martin Husemann <>
From: Bill Studenmund <>
List: current-users
Date: 08/26/2005 10:23:03
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Aug 26, 2005 at 12:15:44AM +0200, Martin Husemann wrote:
> On Thu, Aug 25, 2005 at 11:00:54AM +0200, Zafer Aydogan wrote:
> > Rui, you don't seem to get it. A Message is printed by syslog on the
> > console. The Message that should be removed is on the remote end.
> > That is a security issue!
> Apparently it is not clear to everyone that the traditional behaviour
> suddenly is wrong from a security POV (or noone uses telnetd any
> more nor runs insecure ttys).

While I agree with what I understand the change is (make the wrong=20
password and right-password-wrong-terminal messages the same), I agree=20
it's a change w.r.t. past behavior.

> A PR is not the right place to discuss this - maybe bring this up on
> tech-security and if consensus is reached, someone might apply the=20
> rumored patch (the PR has no patch, as of a few minutes ago).

I think such a discussion would be good. I think we should make this=20
change, but getting some attention paid to it in a security-focused=20
setting will be good too.

Take care,


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)