Subject: Re: root password : security hole ?
To: NetBSD User's Discussion List <netbsd-users@NetBSD.ORG>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 03/12/2003 14:38:36
[ On Wednesday, March 12, 2003 at 13:28:45 (-0500), David Maxwell wrote: ]
> Subject: Re: root password : security hole ?
>
> A problem with the latter, is that it changes the normal behaviour,
> highlighting policy information to an unprivileged user.

I think that's only a problem because of this long-standing "bug" in
some telnetd implementations, and thus only a problem for those admins
who have become too accustomed to this bug to the point that they might
rely on it to help them identify their typos in their rush to do things
they probably shouldn't be doing in that way in the first place.  :-)

Those of us who've never relied on getting extra help from the user end
of a "password:" prompt are always very surprised when it so clearly
reveals to us that we've made a typo, and we worry a great deal that
this extra information could be of enormous value to an attacker.

> I like the current behaviour the best. Say 'Login incorrect', except
> when returning an error to a user who has proven he knows the password,
> so that he can stop typing passwords and decide to either use a
> different method of access, or enable the 'secure' flag on the needed
> port.

Ultimately the best solution is to stop using plain passwords
altogether, but in the mean time it would seem prudent to at least make
it somewhat harder for people to use easy-to-guess passwords.  To that
end I still think the feature I provided way back in PR#10206 is an
important part of solving this puzzle.  I now have most of the changes
pulled forward to my netbsd-1-6 source tree too, if anyone's interested.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>