Subject: Re: Re: lib/30923
To: Bill Studenmund <firstname.lastname@example.org>
From: Rui Paulo <rpaulo@NetBSD.org>
Date: 08/26/2005 19:46:44
Content-Type: text/plain; charset=us-ascii
On 2005.08.26 10:24:31 +0000, Bill Studenmund wrote:
| On Thu, Aug 25, 2005 at 01:26:29PM +0100, Rui Paulo wrote:
| > On 2005.08.25 11:00:54 +0000, Zafer Aydogan wrote:
| > | > I think the thread was all about the output message and the "secure=
| > | > of view of it. While I don't care much about the message printed, s=
| > | > may want that as an option.
| > | >=20
| > | Rui, you don't seem to get it. A Message is printed by syslog on the
| > | console. The Message that should be removed is on the remote end.
| > | That is a security issue! The patch closes this hole. Please commit i=
| > | I don't get why you make a big fuzz about this.=20
| > | Check Free- and OpenBSD or Linux if you think they handle this differ=
| > | They don't. Aslong this is a security issue they definitely don't !
| > This is not a security issue from my POV. What I want is an option to
| > change the behaviour. That's all.
| It is. It means that you can remotely attempt to crack the root password=
| by throwing a dictionary attack at login; the different messages will=20
| indicate when you got the right password.
I was refering to the "root login not allowed on this terminal" messages.
-- Rui Paulo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)
-----END PGP SIGNATURE-----