To: Bill Studenmund <firstname.lastname@example.org>
From: Zafer Aydogan <email@example.com>
Date: 08/26/2005 20:39:04
> --- Ursprüngliche Nachricht ---
> Von: Bill Studenmund <firstname.lastname@example.org>
> An: Rui Paulo <rpaulo@NetBSD.org>
> Kopie: Zafer Aydogan <email@example.com>, firstname.lastname@example.org,
> Betreff: Re: Re: lib/30923
> Datum: Fri, 26 Aug 2005 10:24:31 -0700
> On Thu, Aug 25, 2005 at 01:26:29PM +0100, Rui Paulo wrote:
> > On 2005.08.25 11:00:54 +0000, Zafer Aydogan wrote:
> > | > I think the thread was all about the output message and the "secure"
> > | > of view of it. While I don't care much about the message printed,
> > | > may want that as an option.
> > | >
> > | Rui, you don't seem to get it. A Message is printed by syslog on the
> > | console. The Message that should be removed is on the remote end.
> > | That is a security issue! The patch closes this hole. Please commit
> > | I don't get why you make a big fuzz about this.
> > | Check Free- and OpenBSD or Linux if you think they handle this
> > | They don't. Aslong this is a security issue they definitely don't !
> > This is not a security issue from my POV. What I want is an option to
> > change the behaviour. That's all.
> It is. It means that you can remotely attempt to crack the root password
> by throwing a dictionary attack at login; the different messages will
> indicate when you got the right password.
> Take care,
While 3Beta and current are using pam, the old 2-stable tree (without pam)
has also the same vulnerability, by printing "root login is not allowed on
this terminal.", which is in my opinion more worse, because it is more
precise. Rui wants to keep that message in 2.1, whereas I think it is a
security issue, which it really is, because the message appears on the
remote end, and should not be kept.
I haven't seen something similar on any other OS, even if it is POSIX
conform, what I doubt.