Subject: Re: Re: lib/30923
To: Bill Studenmund <wrstuden@netbsd.org>
From: Rui Paulo <rpaulo@NetBSD.org>
List: current-users
Date: 08/26/2005 19:46:44
--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2005.08.26 10:24:31 +0000, Bill Studenmund wrote:
| On Thu, Aug 25, 2005 at 01:26:29PM +0100, Rui Paulo wrote:
| > On 2005.08.25 11:00:54 +0000, Zafer Aydogan wrote:
| > | > I think the thread was all about the output message and the "secure=
" point
| > | > of view of it. While I don't care much about the message printed, s=
omeone
| > | > may want that as an option.
| > | >=20
| > | Rui, you don't seem to get it. A Message is printed by syslog on the
| > | console. The Message that should be removed is on the remote end.
| > | That is a security issue! The patch closes this hole. Please commit i=
t.
| > | I don't get why you make a big fuzz about this.=20
| > | Check Free- and OpenBSD or Linux if you think they handle this differ=
ent.
| > | They don't. Aslong this is a security issue they definitely don't !
| >=20
| > This is not a security issue from my POV. What I want is an option to
| > change the behaviour. That's all.
|=20
| It is. It means that you can remotely attempt to crack the root password=
=20
| by throwing a dictionary attack at login; the different messages will=20
| indicate when you got the right password.
I was refering to the "root login not allowed on this terminal" messages.
-- Rui Paulo
--lrZ03NoBR/3+SXJZ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)
iD8DBQFDD2OUZPqyxs9FH4QRAgdBAJ990MuKDPwUPhACjp9SaYb2Kq+ANwCfcL+n
4GiLJqcDUy1duPrpFyzhssc=
=3ivu
-----END PGP SIGNATURE-----
--lrZ03NoBR/3+SXJZ--