Subject: Re: root password : security hole ?
To: Ignatios Souvatzis <ignatios@theory.cs.uni-bonn.de>
From: David Maxwell <david@vex.net>
List: netbsd-users
Date: 03/12/2003 13:28:45
On Wed, Mar 12, 2003 at 10:12:31AM +0100, Ignatios Souvatzis wrote:
> hi,
> 
> On Tue, Mar 11, 2003 at 06:52:24PM +0100, Florence HENRY wrote:
> 
> 
> > But if you give the good one, it says :
> > root login refused on this terminal.
> > 
> > On a digital unix, both give Login incorrect.
> > 
> > I know there is little chance that a someone (human or not) guesses the
> > root password as first try, but I don't like the idea to give anyone
> > any indication about the root password.
> > 
> > What do you think about that ? Could it be a security hole ?
> 
> You reveal that the root password was correct. Hm.... Yes, I think 
> it should always say "Login incorrect." or maybe always "root login
> refused on this terminal."

A problem with the former, is that it could cause an admin to think 'Oh,
I typed the wrong password, it must be the 'other' root password' and
proceed to type them all, one after another.

If they're on a keyboard port for console, there _probably_ isn't a key
capturing device between the port and keyboard. If it's a serial
console, there _probably_ isn't a Y connector off to a logging host...

Now you might say, this isn't a concern, because they're using telnet,
and must have decided the plaintext passwords are safe on their local
network. I tend to think "If they're using telnet at all, it's unlikely
(though not impossible) they're qualified to make that decision." Telnet
is off by default, you say? Many people turn things on without
considering the consequences.

A problem with the latter, is that it changes the normal behaviour,
highlighting policy information to an unprivileged user.

I like the current behaviour the best. Say 'Login incorrect', except
when returning an error to a user who has proven he knows the password,
so that he can stop typing passwords and decide to either use a
different method of access, or enable the 'secure' flag on the needed
port.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
An organization gets what it rewards.
			      - Perry Metzger