Subject: Re: Re: lib/30923
To: Rui Paulo <rpaulo@NetBSD.org>
From: Bill Studenmund <email@example.com>
Date: 08/26/2005 10:24:31
Content-Type: text/plain; charset=us-ascii
On Thu, Aug 25, 2005 at 01:26:29PM +0100, Rui Paulo wrote:
> On 2005.08.25 11:00:54 +0000, Zafer Aydogan wrote:
> | > I think the thread was all about the output message and the "secure" =
> | > of view of it. While I don't care much about the message printed, som=
> | > may want that as an option.
> | >=20
> | Rui, you don't seem to get it. A Message is printed by syslog on the
> | console. The Message that should be removed is on the remote end.
> | That is a security issue! The patch closes this hole. Please commit it.
> | I don't get why you make a big fuzz about this.=20
> | Check Free- and OpenBSD or Linux if you think they handle this differen=
> | They don't. Aslong this is a security issue they definitely don't !
> This is not a security issue from my POV. What I want is an option to
> change the behaviour. That's all.
It is. It means that you can remotely attempt to crack the root password=20
by throwing a dictionary attack at login; the different messages will=20
indicate when you got the right password.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
-----END PGP SIGNATURE-----