Subject: Re: Re: lib/30923
To: Rui Paulo <rpaulo@NetBSD.org>
From: Bill Studenmund <email@example.com>
Date: 08/26/2005 11:44:27
Content-Type: text/plain; charset=us-ascii
On Fri, Aug 26, 2005 at 07:46:44PM +0100, Rui Paulo wrote:
> On 2005.08.26 10:24:31 +0000, Bill Studenmund wrote:
> | On Thu, Aug 25, 2005 at 01:26:29PM +0100, Rui Paulo wrote:
> | >=20
> | > This is not a security issue from my POV. What I want is an option to
> | > change the behaviour. That's all.
> | It is. It means that you can remotely attempt to crack the root passwor=
> | by throwing a dictionary attack at login; the different messages will=
> | indicate when you got the right password.
> I was refering to the "root login not allowed on this terminal" messages.
As am I. As is Zafer.
They leak security information. And that is bad.
Say I am a remote attacker trying to log in directly as root. I'm logging=
in via an insecure terminal, so I have no chance of actually getting in.=20
And yes, there will be "root login attempt" messages & such in the local=20
However, and this is the sticky point, I, as a remote attacker, will get
one message thrown at me if I get the password right and a different
message thrown at me if I get it wrong. So even though I didn't get in
(and had no chance of getting in), I know if I got the root password
right. Thus I can use a remote dictionary attack to figure out the root
password; I just keep going until I get a different reject message.
There are a number of ways of fixing this.
Probably the best is to consolidate them, and make one "You can't get in=20
because either this terminal is insecure or you typed in the wrong=20
password" message. I know there was a patch mentioned in this thread, it=20
should get added to the PR. I don't know if that's what the patch does...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)
-----END PGP SIGNATURE-----