Le Wed, 12 Mar 2003 10:12:31 +0100
Ignatios Souvatzis a écrit :
> On Tue, Mar 11, 2003 at 06:52:24PM +0100, Florence HENRY wrote:
> 
> 
> > But if you give the good one, it says :
> > root login refused on this terminal.
> > 
> > On a digital unix, both give Login incorrect.
> > 
> > I know there is little chance that a someone (human or not) guesses
> > the root password as first try, but I don't like the idea to give
> > anyone any indication about the root password.
> > 
> > What do you think about that ? Could it be a security hole ?
> 
> You reveal that the root password was correct. Hm.... Yes, I think 
> it should always say "Login incorrect." or maybe always "root login
> refused on this terminal."

The problem lies in usr.bin/login/login.c, near line 492 :

/*
 * If trying to log in as root without Kerberos,
 * but with insecure terminal, refuse the login attempt.
 */
if (pwd && !rval && rootlogin && !rootterm(tty)) {

First of all, the comment preceding the test is misleading : Kerberos
authentication doesn't skip the test since revision 1.29. It should be
removed.

IMHO, there should be a (rootlogin && !rootterm(tty)) test even before
asking for a password, but at first we can remove the test of rval value.

-- 
Quentin Garnier - cube@cubidou.net
"Feels like I'm fiddling while Rome is burning down.
Should I lay my fiddle down and take a rifle from the ground ?"
Leigh Nash/Sixpence None The Richer, Paralyzed, Divine Discontents, 2002.