Subject: Re: Re: lib/30923
To: Rui Paulo <rpaulo@NetBSD.org>
From: Bill Studenmund <wrstuden@netbsd.org>
List: current-users
Date: 08/26/2005 10:24:31
--fXStkuK2IQBfcDe+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Aug 25, 2005 at 01:26:29PM +0100, Rui Paulo wrote:
> On 2005.08.25 11:00:54 +0000, Zafer Aydogan wrote:
> | > I think the thread was all about the output message and the "secure" =
point
> | > of view of it. While I don't care much about the message printed, som=
eone
> | > may want that as an option.
> | >=20
> | Rui, you don't seem to get it. A Message is printed by syslog on the
> | console. The Message that should be removed is on the remote end.
> | That is a security issue! The patch closes this hole. Please commit it.
> | I don't get why you make a big fuzz about this.=20
> | Check Free- and OpenBSD or Linux if you think they handle this differen=
t.
> | They don't. Aslong this is a security issue they definitely don't !
>=20
> This is not a security issue from my POV. What I want is an option to
> change the behaviour. That's all.

It is. It means that you can remotely attempt to crack the root password=20
by throwing a dictionary attack at login; the different messages will=20
indicate when you got the right password.

Take care,

Bill

--fXStkuK2IQBfcDe+
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFDD1BPWz+3JHUci9cRAqIlAJ41YcwT18bo+tLeOqKWBEEwt2xxJwCfa3Yd
4HJVMJ76wxTzSpGxUoU1T3A=
=nBTk
-----END PGP SIGNATURE-----

--fXStkuK2IQBfcDe+--