Subject: Re: root password : security hole ?
To: NetBSD User's Discussion List <netbsd-users@NetBSD.ORG>
From: David Maxwell <david@vex.net>
List: netbsd-users
Date: 03/12/2003 17:03:17
On Wed, Mar 12, 2003 at 02:38:36PM -0500, Greg A. Woods wrote:
> [ On Wednesday, March 12, 2003 at 13:28:45 (-0500), David Maxwell wrote: ]
> > Subject: Re: root password : security hole ?
> I think that's only a problem because of this long-standing "bug" in
> some telnetd implementations, and thus only a problem for those admins
I think this is in login - unless I mis-parsed your statement.
> Those of us who've never relied on getting extra help from the user end
> of a "password:" prompt are always very surprised when it so clearly
> reveals to us that we've made a typo, and we worry a great deal that
> this extra information could be of enormous value to an attacker.
If enough login attempts to brute-force (by top-100, or dictionary even)
your root password aren't giving you enough logging feedback to
recognize that the attempt is being made, that's a different problem.
I'd like to see a better method for NetBSD systems to alert the sysadmin
to critical events, like RAID disk failures, or breakin attempts, in
realtime. Syslog alone is insufficient - but this is a different thread
;-)
> altogether, but in the mean time it would seem prudent to at least make
> it somewhat harder for people to use easy-to-guess passwords. To that
> end I still think the feature I provided way back in PR#10206 is an
> important part of solving this puzzle. I now have most of the changes
> pulled forward to my netbsd-1-6 source tree too, if anyone's interested.
Please add them to the PR. I was looking at it a few months back, and
started pulling the changes forward - but if you already have them,
they're more likely to go in soon(er) :-)
--
David Maxwell, david@vex.net|david@maxwell.net -->
If you don't spend energy getting what you want,
You'll have to spend it dealing with what you get.
- Unknown