Subject: Re: root password : security hole ?
To: Ignatios Souvatzis <ignatios@theory.cs.uni-bonn.de>
From: Quentin Garnier <netbsd@quatriemek.com>
List: netbsd-users
Date: 03/12/2003 11:30:40
Le Wed, 12 Mar 2003 10:12:31 +0100
Ignatios Souvatzis a écrit :
> On Tue, Mar 11, 2003 at 06:52:24PM +0100, Florence HENRY wrote:
>
>
> > But if you give the good one, it says :
> > root login refused on this terminal.
> >
> > On a digital unix, both give Login incorrect.
> >
> > I know there is little chance that a someone (human or not) guesses
> > the root password as first try, but I don't like the idea to give
> > anyone any indication about the root password.
> >
> > What do you think about that ? Could it be a security hole ?
>
> You reveal that the root password was correct. Hm.... Yes, I think
> it should always say "Login incorrect." or maybe always "root login
> refused on this terminal."
The problem lies in usr.bin/login/login.c, near line 492 :
/*
* If trying to log in as root without Kerberos,
* but with insecure terminal, refuse the login attempt.
*/
if (pwd && !rval && rootlogin && !rootterm(tty)) {
First of all, the comment preceding the test is misleading : Kerberos
authentication doesn't skip the test since revision 1.29. It should be
removed.
IMHO, there should be a (rootlogin && !rootterm(tty)) test even before
asking for a password, but at first we can remove the test of rval value.
--
Quentin Garnier - cube@cubidou.net
"Feels like I'm fiddling while Rome is burning down.
Should I lay my fiddle down and take a rifle from the ground ?"
Leigh Nash/Sixpence None The Richer, Paralyzed, Divine Discontents, 2002.